Brooklyn Journal of Corporate, Financial & Commercial Law


Jennifer Gordon


Privacy has come to the forefront of the technology world as third party hackers are constantly attacking companies for their customers’ data. With increasing instances of compromised customer information, the Federal Trade Commission (FTC) has been bringing suit against companies for inadequate data security procedures. The FTC’s newfound authority to bring suit regarding cybersecurity breaches, based on the Third Circuit’s decision in FTC v. Wyndham Worldwide Corp., is a result of inaction—Congress has been unable to pass sufficient cybersecurity legislation, causing the FTC to step in and fill the void in regulation. In the absence of congressional action, this self-proclaimed authority is improper. This Note proposes that Congress enact a law giving the FTC actual authority to regulate data breaches. Thereafter, the FTC should use its rulemaking authority to establish procedural data security guidelines for companies to follow; this Note offers procedural guidelines for the FTC to enforce. It is necessary for companies to know how to protect themselves against FTC enforcement actions. As cyber risk is burgeoning, as self-regulation has proven insufficient, and as the FTC is continuously bringing suit against companies for inadequate data security, it is further necessary for companies to obtain stand-alone cyber insurance to protect themselves in the modern marketplace.