Elisabeth Kübler-Ross described various stages of grief; corporate data breaches follow the same pattern. First comes denial: “Breach? What breach?” Then anger: “Whose fault is this?” Then deflection: “How could you have let this happen?” Then investigation, followed by reluctant acceptance. Then comes litigation—class actions, shareholder suits, derivative claims. And finally, the last stage—the one that concentrates the mind of every general counsel and board of directors—regulatory fines. A Supreme Court case argued on April 21, 2026, may determine whether agencies have the legal authority to impose fines on businesses for data breaches or data privacy violations.

That last step is not incidental; it is the enforcement backbone of modern data protection law. Across sectors, federal agencies impose affirmative obligations to safeguard data, and they enforce those obligations with monetary penalties. The Federal Trade Commission invokes its authority under Section 5 of the FTC Act to police “unfair or deceptive acts or practices,” including inadequate cybersecurity. See 15 U.S.C. § 45(a); FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). The Securities and Exchange Commission has imposed penalties under its disclosure and internal controls regimes. See 15 U.S.C. §§ 78m(b)(2), 78ff; see also SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023), . Banking regulators enforce data security under the Interagency Guidelines Establishing Information Security Standards. See 12 C.F.R. pt. 30, app. B; 12 U.S.C. § 1818.

In the telecommunications context, the Federal Communications Commission enforces privacy obligations under Section 222 of the Communications Act, requiring carriers to protect Customer Proprietary Network Information (CPNI). See 47 U.S.C. § 222; 47 U.S.C. § 503(b).
These regimes share a common enforcement architecture: administrative or civil proceedings, notice, an opportunity to be heard—and ultimately, fines. What they typically do not provide is a jury trial.

That omission is now before the Supreme Court.

The Case: FCC Enforcement Meets the Seventh Amendment

The Court this term is considering whether the FCC may impose substantial monetary penalties on telecommunications carriers without affording them a jury trial, in enforcement actions arising from alleged data privacy failures.
The underlying facts are neither novel nor trivial. Between approximately 2015 and 2018, major carriers, including AT&T and Verizon, collected and monetized highly sensitive customer location data, selling access to third-party aggregators. That data was, in some instances, accessed without authorization—including by law enforcement officials acting outside formal legal process. This was not technically a data “breach” but a data misuse.

The FCC concluded that these practices constituted “willful and repeated” violations of statutory duties to protect customer data, and it imposed penalties exceeding $57 million against AT&T and $48 million against Verizon.

The carriers challenged those penalties, not primarily on the facts, but on the process.

The Legal Question: Is This a “Suit at Common Law”?

The Seventh Amendment guarantees the right to a jury trial “[i]n Suits at common law.” U.S. Const. amend. VII. The carriers argue that when the government seeks to impose punitive monetary penalties for alleged misconduct—particularly misconduct analogous to common-law claims such as breach of duty, invasion of privacy, or fraud—it is engaging in precisely such a “suit.”
Their argument draws heavily on the Supreme Court’s recent decision in SEC v. Jarkesy, 603 U.S. ___ (2024).  There, the Court held that the SEC’s use of administrative law judges to impose civil penalties for securities fraud violated the Seventh Amendment.
The Court emphasized that the nature of the remedy—punitive monetary sanctions—and the historical analog—common-law fraud—triggered the jury trial right, noting that “When the government seeks to impose civil penalties for fraud, it must proceed in a court of law before a jury.” Jarkesy, 603 U.S. ___ (2024). Since the allegations the FCC made against the telcos were that they collected and used CPNI under “false pretenses” or lied to consumers about what they were doing with the data, this is, according to the carriers, a “fraud” case for which they were entitled to a jury trial.

The carriers contend that FCC enforcement actions for data privacy violations are materially indistinguishable. They involve punitive fines, adjudicated by agency officials who function as prosecutor, judge, and jury.

The Government’s Response: Enforcement, Practicality and Procedural Formalism

The government, defending the FCC, offers two principal arguments.
First, it asserts that administrative enforcement is essential. Civil penalties are “one of the most important and frequently used enforcement tools,” and eliminating them would create a “significant gap in federal oversight.” The regulatory state, in other words, depends on the ability to impose fines efficiently and at scale.

Second, the government argues that the FCC’s process preserves the possibility of a jury trial. A carrier may refuse to pay the assessed penalty, at which point the Department of Justice may bring an enforcement action in federal court, where a jury trial would be available. The civil “fine” is not final until it is ratified by a court.

The carriers respond that this is no answer at all. Requiring a regulated entity to defy an agency order—risking additional penalties, reputational harm, and regulatory consequences—in order to vindicate a constitutional right is, they argue, constitutionally intolerable.

The Lower Courts: A Clean Circuit Split

The courts of appeals have divided sharply.
The Fifth Circuit ruled in favor of AT&T, holding that the FCC’s enforcement scheme violates the Seventh Amendment because it allows the agency to determine liability and impose penalties without a jury. See AT&T Servs., Inc. v. FCC, ___ F.4th ___ (5th Cir. 2025). The court reasoned that a subsequent opportunity for judicial review does not cure the constitutional defect once the agency has already “adjudged guilt and levied punishment.”
By contrast, the Second Circuit rejected Verizon’s challenge, concluding that the availability of a jury trial in a subsequent enforcement action—should the carrier refuse to pay—was sufficient to satisfy constitutional requirements.

This split tees up the Supreme Court’s review.

The Regulatory Purpose: Why These Fines Exist

It is critical to understand what is at stake beyond procedural doctrine.
Regulatory fines in the data security context serve multiple functions. They punish noncompliance, deter future violations, and—perhaps most importantly—create economic incentives for companies to invest in cybersecurity and privacy controls. As the Third Circuit observed in Wyndham: “The FTC’s unfairness authority necessarily encompasses cybersecurity practices that, if left unchecked, could harm consumers.” FTC v. Wyndham Worldwide Corp., 799 F.3d at 245. Indeed, the FTC’s entire regulatory authority over data privacy and data security comes from Section 5 of the FTC Act, which gives the agency the authority to regulate “unfair and deceptive trade practices.” The Supreme Court may end up determining simply that the FTC cannot itself impose fines – it can only act as a Plaintiff in a civil lawsuit seeking damages.

Similarly, the FCC’s CPNI rules are designed to protect “the confidentiality of proprietary information of, and relating to, customers.” 47 U.S.C. § 222(a).
Without meaningful enforcement mechanisms—including the ability to impose substantial penalties—these statutory mandates risk becoming aspirational rather than operational.

The Potential Impact: A Structural Shift in Enforcement

If the Supreme Court extends Jarkesy to the FCC, the consequences will be immediate and far-reaching. Administrative agencies across the federal government rely on similar enforcement models. The Department of Energy, the Department of Health and Human Services, and environmental and wildlife regulators all impose civil penalties through administrative processes.

A ruling requiring jury trials for such penalties would shift enforcement into Article III courts, dramatically increasing the cost, complexity, and duration of regulatory actions. Agencies would lose the ability to impose swift sanctions; enforcement would become episodic rather than systemic.
From a cybersecurity perspective, that shift could weaken deterrence. The threat of rapid, certain penalties is often what drives compliance with data protection obligations. Remove or dilute that threat, and the incentive structure changes.

On the other hand, from a constitutional perspective, such a ruling would restore what the Court increasingly views as a core structural protection: the right to have punitive sanctions imposed only by a jury of one’s peers, before an independent judiciary.

Conclusion: The Final Stage

The Kübler-Ross model ends with acceptance. In the data breach lifecycle, it ends with fines. Now, it may end with jury verdicts and appeals of those verdicts. Nobody said this would be easy. Or fun. The cases are Federal Communications Commission v. AT&T Inc., No. 25-406 (U.S. argued Apr. 21, 2026) and Verizon Communications Inc. v. Federal Communications Commission, No. 25-453 (U.S. argued Apr. 21, 2026).

Recent Articles By Author

• The New Face of Cybercrime: When the Criminal Isn’t the Hacker
• Flock You! Pushback on License Plate Readers
• Magnifica Humanitas – Pope Leo’s Take on Intelligence – Artificial and Otherwise

More from Mark Rasch