Feb 17, 2017

The FTC Can Regulate Cybersecurity, Say I School Professors

A group of privacy and security scholars weighed in yesterday on an ongoing lawsuit challenging the authority of the Federal Trade Commission to regulate companies’ data security practices.

The dispute started when the FTC attempted to punish medical-testing company LabMD for making its patients’ medical records available on a file sharing server. LabMD challenged the FTC’s requirement that companies implement “reasonable” data security measures, arguing that the standard was too vague; if the FTC wants to regulate cybersecurity, they need to specify detailed, uniform standards, said LabMD.

The eight professors — including School of Information professors Chris Jay Hoofnagle and Deirdre Mulligan — back the FTC’s approach in their amicus curiae brief, filed yesterday with the Eleventh Circuit Court of Appeals.

“The FTC’s approach of policing reasonable security standards allows businesses to focus on the ‘how’ of ensuring information security, rather than dictate extensive rules,” explained Hoofnagle.

The brief cites empirical research in corporate practices to show that the FTC’s approach “is driving corporate innovation and an evolving understanding of best practices to protect consumers’ personal information,” as demonstrated in extensive research by Mulligan and co-author Kenneth Bamberger.

In fact, the one-size-fits-all approach LabMD is lobbying for is simply impossible, the authors argue. What constitutes “reasonable” data security for a particular company depends on the details of the context and the consumer expectations.

The brief also argues that the FTC is authorized to enforce cybersecurity standards preventatively, rather than waiting for actual data breaches. They highlighted the importance of being able to trust the companies that have our data. Even before we learn about a breach, the uncertainty and insecurity can affect our business relationships.

In addition to Hoofnagle and Mulligan, authors of the brief included Bamberger, Woodrow Hartzog, William McGeveran, Paul Ohm, Daniel J. Solove, and Peter Swire.

Chris Jay Hoofnagle is adjunct full professor of information and of law at UC Berkeley and the author of Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016).

Deirdre K. Mulligan is an associate professor in the UC Berkeley School of Information and a faculty director of the Berkeley Center for Law & Technology at the UC Berkeley School of Law. Mulligan is the co-author of Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press) the first empirical, comparative, international exploration of how legal choices in the U.S. and four European countries impact corporate privacy practice, and more than 50 articles on privacy and security law, and technology.

Adjunct professor Chris Hoofnagle
Adjunct professor Chris Hoofnagle
Associate Professor Deirdre Mulligan
Associate Professor Deirdre Mulligan

Last updated:

February 17, 2017