The U.S. Federal Trade Commission (FTC) is among the most important cybersecurity regulators. This talk will explain how this century-old competition and consumer law agency came to “own” cybersecurity in the private sector. The FTC uses its power to prevent unfair and deceptive trade practices to promote “reasonable” security practices in the private sector. The FTC does so not through promulgating formal rules, but rather by selectively enforcing the ban on deceptive and unfair practices against companies with particularly bad security. The FTC’s interventions have several knock on effects, including the bolstering of the quality of consent businesses must obtain from users when monitoring them, the erosion of both intermediary and software immunity, and the promotion of citizen privacy expectations with regard to state surveillance.

The FTC approach appears beneficial, yet it also raises important questions: How can this small agency that only brings about 20 cases a year possibly promote security in a meaningful way? What “cybersecurity” is promoted by a consumer-protection-oriented agency, and is this the kind of security we most need? Should “reasonable security” be the FTC’s lodestar, or has security become as important as product safety, thus requiring a higher standard, such as strict liability? How can the FTC signal its expectations to businesses and afford them due process without developing formal rules, which can be sclerotic?

Chris Jay Hoofnagle holds dual appointments as adjunct professor in the School of Law and the School of Information (where he is resident). He is the author of Federal Trade Commission Privacy Law and Policy (Cambridge University Press) and an elected member of the American Law Institute.

At Berkeley, Hoofnagle has taught computer crime law, internet law, information privacy law, and seminars on the FTC and on education technology.

Hoofnagle co-chairs the annual Privacy Law Scholars Conference. He has served on the AAUP’s Committee A on Academic Freedom and Tenure. He is also a member of the San Francisco Electronic Crimes Task Force, Palantir Technology’s Council on Privacy and Civil Liberties, and InfraGard.

Licensed to practice in California and Washington, D.C., Hoofnagle is of counsel to Gunderson Dettmer Stough Villeneuve Franklin & Hachigian, LLP.