10 lessons from FTC Guidance on Data Security
By Marc S. Roth From Corporate Counsel
“Not if, but when.” These simple words are enough to keep corporate counsel, compliance officers and IT managers up at night when faced with the reality that their network will at some point be breached. This is no surprise given the spate of corporate breaches and unauthorized network intrusions reported in recent years as well as the costs, reputational harm and investigations and lawsuits that follow in their wake. While there are no silver bullets to stop breaches from occurring, understanding and following legal actions brought by regulatory agencies and heeding security guidance they issue could go a long way in preventing security lapses and unauthorized attacks.
There is no omnibus federal law that prescribes the level of security that companies must use to protect consumer information. Instead, Congress has identified certain categories of sensitive data that warrant regulation, such as health and financial information, and online information collected from children under 13, resulting in the Health Information Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act, respectively.
Each of the above laws (and their implementing regulations) to some extent dictates specific data security standards for companies that possess consumer information in these industries. But for the vast number of companies that do not fall within these categories, knowing what standards they are expected to employ to protect consumer information remains an elusive task. Notwithstanding this void, companies that fail to develop a comprehensive data security plan and implement at least some level of minimum security measures to protect consumer information remain vulnerable to attacks, lawsuits and regulatory investigations.
Enter the FTC
Companies that experience a data breach of some sort can expect to hear from the Federal Trade Commission shortly following the breach becoming public. The agency has brought over one hundred privacy and data security cases under its broad jurisdiction authority pursuant to Section 5 of the FTC Act (15 U.S.C. § 45), which empowers it to investigate and halt unfair and deceptive acts and practices in commerce.
The FTC’s privacy enforcement docket has historically involved companies that failed to abide by their posted privacy policies, which the agency claims violated the FTC Act for being a deceptive trade practice. But the FTC has also brought cases against companies that have failed to take adequate precautions to protect consumer information, alleging that such failure was unfair to consumers, since they could not reasonably avoid the harm that may result from such inadequacies.
But therein lies the rub. How can the FTC claim that a company has not adequately protected consumer information if it and Congress have not given industry specific guidance to follow?
Two companies took the FTC to task on this issue by challenging the agency’s authority to bring data security enforcement cases in the absence of clear and prior guidance. Both of these cases have recently reached resolution, with differing, though logical, results.
Last summer, the U.S. Court of Appeals for the Third Circuit upheld a district court’s finding that the FTC does have the authority to review and scrutinize a company’s data security practices under Section 5 of the FTC Act. The FTC sued Wyndham Worldwide Corporation in federal district court in December 2012 for failing to employ reasonable and appropriate protections for consumer information, which resulted in several data breaches and caused “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
Wyndham moved to dismiss the action by challenging the FTC’s authority to bring claims under Section 5 in the absence of specific and particular data security standards. The district court rejected Wyndham’s motion and the Third Circuit affirmed.
Three months later an FTC administrative law judge ruled against the agency in a case involving a cancer-screening laboratory’s failure to adequately protect sensitive consumer information. The ALJ dismissed the agency’s August 2013 complaint alleging that LabMD failed to employ “reasonable and appropriate” data security for consumer information, which “caused, or is likely to cause substantial injury to consumers.” Like Wyndham, the FTC investigation followed several breaches by LabMD that collectively exposed personal information of approximately 10,000 consumers. The FTC’s complaint alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network, and company documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.
The complaint concluded that LabMD’s alleged failure to employ such measures amounted to an unfair trade practice under the FTC Act by causing, or being likely to cause, substantial harm to consumers that is not reasonably avoidable by consumers or outweighed by benefits to consumers or competition. The ALJ disagreed, finding that “FTC complaint counsel had failed to carry its burden of proving that LabMD’s alleged failure to employ reasonable data security constitutes an unfair trade practice, because complaint counsel failed to prove that the allegedly unreasonable conduct caused or was likely to cause substantial injury to consumers.” He added, “At best, Complaint Counsel has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
This matter is far from over, since the FTC has appealed the decision to the full FTC Commission, which will likely result in the decision being overturned. But the ALJ’s finding does fall in line with a string of cases questioning whether regulatory investigations and class actions are appropriate where no harm resulted from an actual or potential data breach.
While these decisions may appear conflicting, they address very different issues and are in fact mutually exclusive. Wyndham involved actual proven consumer harm whereas LabMD did not. Query whether the Third Circuit and the lower court would have upheld the FTC’s authority to prosecute inadequate security practices in the absence of provable and discernible harm. The lack of harm was very much the centerpiece issue for the FTC’s ALJ in LabMD.
Regardless of the final outcome of these cases, companies that collect and maintain consumer information, particularly sensitive information such as account numbers, must develop and implement sound data security policies and procedures designed to prevent unauthorized breach and intrusion. In the absence of statutory prescriptions to follow, the FTC has published a document that many consider to be a treasure map to the FTC’s secret vault of security expectations.
This document, titled “Start with Security: A Business Guide,” follows a series of FTC workshops and papers involving privacy and data security. It highlights the following 10 practical lessons that can be drawn from over 50 data security cases the agency has brought over the last decade.
For more on this story go to: http://www.corpcounsel.com/id=1202751063013/10-Lessons-From-FTC-Guidance-on-Data-Security