"Nothing in Section 5 suggests that Congress intended to give the FTC the authority to regulate data security" the Chamber of Commerce said in its 25-page motion to dismiss.
That motion noted that the FTC's data security enforcement actions harken back to its overzealous use of the unfair and deceptive practices provisions to pursue other perceived business misdeeds in the past. The agency's past enforcement excesses using Section 5 led to Congress imposing restrictions on its authority in 1994, the Chamber argued.
"Despite these acknowledged statutory constraints, carefully calibrated by Congress in response to years of agency overreaching, the FTC again is attempting to use Section5 inappropriately," the Chamber said.
Berin Szoka, president of TechFreedom, said the case is important because it's the first time since the FTC began its data breach enforcement actions nine years ago that any company had challenged its enforcement authority.
All of the 41 companies hit with FTC lawsuits so far have quietly acquiesced to its settlement terms for fear of attracting more attention and trouble, Szoka said. When confronted with the choice of settling a case or going through a long and potentially costly investigative and discovery process, companies tended to choose the former, he noted.
"The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law," he said. Even so, it has not established any such law through its enforcement actions, he said.
"Here, all you have to go on are these 41 enforcement actions where the FTC has convinced companies to settle out of court with no adjudication. The courts have never signed off and said we think this is the proper interpretation," Szoka said.
As a result, companies have little information to guide them on what exactly constitutes reasonable care, deception and unfair practices in the FTC's eyes, he said.
Chris Hoofnagle, director of information privacy programs at the University of California Berkeley Center for Law & Technology, described the dismissal efforts as a "Hail Mary effort to stop the FTC from enforcing its unfairness power.
"For decades, long before the FTC became involved in privacy, business groups have tried to cabin the FTC so that it can only enforce wrongs that were addressable by the common law," Hoofnagle said in emailed comments to Computerworld.
In an amicus brief supporting the FTC's position, Hoofnagle noted that the agency's enforcement actions have served as the only effective means of holding companies accountable for failing to protect data entrusted to them by consumers.
Although consumers can suffer substantial harm from a data breach, federal courts have been reluctant to recognize private tort action against breached entities. So the FTC enforcement actions have been the primary protection for consumers, he said.
Sign up for Computerworld eNewsletters.