For twenty-five years, the Federal Trade Commission (FTC) has brought enforcement actions against companies for data breaches using its statutory authority under Section 5 of the FTC Act to police “unfair or deceptive acts or practices.” While the Commission originally brought cases under the “deceptive” prong of Section 5, more recent cases have been brought under the vague “unfairness” prong. These cases allege that a company that...