The Federal Trade Commission’s (FTC) press release announcing Chairwoman Edith Ramirez’s January 13 resignation touted the Commission’s successful defense of its authority to “bring enforcement actions for unreasonable data security practices.” Chairwoman Ramirez and her two predecessors during the Obama Administration used that authority to bring scores of data-security cases under § 5 of the FTC Act, the overwhelming majority of which were settled. One of the Commission’s last acts under her leadership, not surprisingly, was filing a data-security suit on January 5 against device manufacturer D-Link.

For the past 8 years, Chairwoman Ramirez and her two predecessor Chairmen embraced and promoted the notion that the terms of data-security-action consent decrees—of which there have been more than 60 since 2002—amount to a “common law” that helps to define § 5’s amorphous proscription of “deceptive” or “unfair” acts or practices. Such reliance on privately-negotiated, case-specific settlement agreements, as WLF has argued in amicus briefs, as a source of legal guideposts is antithetical to the Rule of Law and denies regulated entities their due-process right of fair notice.  The incoming new Commission leadership should end this practice and pursue a more transparent approach to data-security regulation.