After a data breach, companies are often accused of having failed to adequately protect their customers' information, with that failure-so the argument goes-having led to the breach. Who brings these allegations? Many may think that they are brought by “the government.” However, there is no single agency in the United States charged with enforcing data protection. Instead, there is a patchwork of regulatory agencies that handle these issues, depending on both the nature of the company’s business and the activities in which it engages.
Historically, the Federal Trade Commission (FTC) has taken the lead in privacy law enforcement, largely bringing privacy violation actions under an unfair or deceptive trade practice theory. Now, however, with the rise of security breaches and an ever-increasing ability for companies to collect, store, and make use of consumer data, state attorneys general (AGs) and the class action bar are joining the brigade by bringing privacy-related actions under varied legal theories. This medley of enforcers and laws, coupled with the evolving nature of privacy concerns generally, means that companies in the United States face significant compliance challenges both when developing new products and technology and when establishing or refining programs to protect existing data and information systems.
What does all of this mean? As companies face the reality that they may be the next victim of a data breach, they must also understand and prepare themselves for the additional legal challenges that could follow. This is an area of the law that is constantly developing, and courts have had different interpretations of what plaintiffs must show to maintain a suit. It is clear that businesses are faced with a multifaceted enforcement landscape, which adds a significant layer of complexity to the existing collection of data-privacy-related laws that companies must juggle.