Federal Trade Commission's Regulation of Data Security Under Its Unfair or Deceptive Acts or Practices (UDAP) Authority [September 11, 2014] [open pdf - 293KB]
"The Federal Trade Commission Act established the Federal Trade Commission (FTC or Commission) in 1914. The protection of consumers from anticompetitive, deceptive, or unfair business practices is at the core of the FTC's mission. As part of that mission, the FTC has been at the forefront of the federal government's efforts to protect sensitive consumer information from data breaches and regulate cybersecurity. As the number of data breaches has soared, so too have FTC investigations into lax data security practices. The FTC has not been delegated specific authority to regulate data security. Rather, the FTC has broad authority under Section 5 of the Federal Trade Commission Act (FTC Act) to prohibit unfair and deceptive acts or practices. […] Several cyber and data security bills before Congress include provisions that would explicitly authorize the FTC to issue rules to implement data security standards and assess civil penalties. The FTC has called for federal legislation that would strengthen its existing authority governing data security standards and require companies to provide breach notification to consumers. This report provides background on the FTC and its legal authorities in the context of data security, and discusses the two aforementioned cases."
CRS Report for Congress, R43723
Federation of American Scientists: http://www.fas.org/sgp/crs/index.html