Catholic University Law Review


As technology continues to be an integral part of daily life, there lies an ever-increasing threat of the personally identifiable information of consumers being lost, stolen, or accessed without authorization. The Federal Trade Commission (FTC) is the U.S. government’s primary consumer protection agency and the country’s lead enforcer against companies subject to data breaches. Although the FTC lacks explicit statutory authority to enforce against data breaches, the Commission has successfully relied on Section 5 of the FTC Act (FTCA) to exercise its consumer protection power in the data security context. However, as the FTC continues to take action against businesses whose unfair data security practices have led to data breaches, private companies are questioning the agency’s authority to do so. Thus, the FTC is pushing for federal legislation to strengthen its existing authority to govern business entities’ data security practices.

Part I of this Comment examines the FTC’s exercise of authority with regard to data breaches under Section 5 of the FTCA, noting that, over the course of many actions, the FTC’s authority on such matters was not contested, resulting in settlements between the parties. Part II discusses how certain companies have challenged the FTC’s authority to take enforcement actions against data breaches, and how recent court rulings may affect the results of a potential Target breach investigation. Part III discusses how recently introduced federal legislation may deter data breaches by clearly establishing the FTC’s authority while also proposing an extension of this legislation to ensure that liability is imposed against all entities that are subject to data breaches.