“FTC and data privacy and security: The unexpected enforcer?”
InsideCounsel 06/11/15 By John L. Barlament
Many companies are familiar with several well-known, national privacy and security laws. Those laws are very specific to certain well-defined industries. For example, the Health Insurance Portability and Accountability Act (HIPAA) generally applies to individually identifiable health information. The Gramm-Leach-Bliley Act (GLBA) generally applies to certain financial institutions. If a company is not subjected to one of these very specific laws, can it assume that there are no federal privacy and security laws that apply to it?
Probably not. One of the most rapidly developing concerns in data privacy and security law is how the Federal Trade Commission (FTC) has been regulating a wide variety of companies, across many industries, in this space—and whether the FTC even has authority to embark on this regulation. Assuming the FTC has authority to regulate data privacy and security, what exactly does the agency require? This article will explore these two questions. However, be prepared for some ambiguity and murky answers.
Overview of FTC authority
The FTC enforces the FTC Act, including Sections 5 and 12. Section 5 generally prohibits "deceptive" and "unfair" acts or practices, while Section 12 generally prohibits false advertisements. Generally, an act or practice is "deceptive" if:
- There is a representation, omission or practice
- It is likely to mislead consumers who are acting reasonably in the circumstances, and
- The representation, omission or practice is material.
Whether an act or omission is "unfair" is a determination that the FTC has admitted is not "immediately obvious"—it is a facts-and-circumstances test. However, the FTC has identified these factors as the ones to use in making this determination:
- Whether the practice injures consumers,
- Whether it violates established public policy, and
- Whether it is unethical or unscrupulous.
Historically, the FTC used these broad enforcement concepts to help consumers with physical goods. For example, a 1984 settlement involved a tractor that would "geyser" fuel in some situations, causing fires and injuries to the tractor users. The FTC found that the company knew of this risk for 17 years, but was slow to act.
FTC applies concepts to data privacy and security
Many companies have privacy policies for their websites and customer data. Others should have such policies, but do not have them.
Assume a company assures its customers that it uses sophisticated security tools to protect their personal information, such as their credit card numbers, social security numbers, email addresses and other sensitive information, but in reality, the company's security protocols are outdated and, as a result, the company's records are breached by a nefarious actor. Could the company be subject to an FTC claim based on the argument that its misrepresentations were "deceptive" or "unfair"?
Yes, in such a situation the claim seems like an easy opportunity for the FTC to assert its authority. And there are many instances that are similar to this fact pattern. One key takeaway from this FTC guidance is that companies should review and identify all the representations they make (in websites or other places), then compare them to their actual practices to determine if their representations accurately reflect their current practices.
Details of what FTC requires
So, what exactly does the FTC require for data privacy and security for regulated companies? Unfortunately, the FTC does not have published regulations detailing the data security measures companies must implement. This stands in contrast to other federal agencies, some of which have published detailed, step-by-step requirements for companies to follow. Instead, companies must examine over three-dozen FTC settlements and other guidance to attempt to determine what the FTC expects.
Highlights of published FTC privacy and security guidance
The FTC has published a "best practices" guide for how businesses should protect their data in general. This guide focuses on five best practices:
- "Take stock": That is, understand what personal information your organization stores.
- "Scale down": Keep only the information you need for your business.
- "Lock it": "Protect" the information you hold.
- "Pitch it": Properly dispose of information you no longer need.
- "Plan ahead": Create a plan to respond to security incidents.
In January 2015, the FTC issued guidance on the "Internet of Things." The guidance recommends various data privacy and security guidelines for companies who gather such data.
- Implementing security measures (such as using a security by design process before launching products, training employees about good security, ensuring third-party service providers maintain reasonable security measures, implementing access controls and other security measures, monitoring products throughout their life cycle, and to the extent feasible, patching known vulnerabilities);
- Examining their data practices and business needs and developing flexible policies and practices that impose reasonable limits on the collection and retention of consumer data while balancing the need to retain beneficial data; and
- Ensuring consumers are given notice and choice about the collection and use or their data, as appropriate and consistent with the context of the transaction with such consumers or the relationship the company has with its consumers.
Gleaning guidance from FTC settlements
The published guidance above may suggest that the FTC requires only rather basic security policies and procedures. However, the dozens of settlements indicate that the FTC applies much more stringent requirements in practice. These settlements indicate that:
- Not having any data security for consumer information can be an "unfair" practice (see "In the Matter of ReverseAuction.com");
- Websites must be secured against common, well-recognized attacks that, if not guarded against, could reveal customer information (see "In the Matter of Guess? Inc.");
- Failing to encrypt consumer information could be an unfair practice (see "In the Matter of BJ's Wholesale Club, Inc.");
- Failing to employ sufficient measures to detect unauthorized access could be an unfair practice (see "In the Matter of DSW, Inc."); and
- Failing to appoint one or more employees to specifically be accountable for the company's security program could be an unfair practice (see "In the Matter of The TJX Companies, Inc.").
Future of FTC guidance
Recently, the FTC has been challenged for its approach to regulating data privacy and security. Academic commentators have criticized the FTC for failing to propose formal guidance, noting that this could violate the U.S. Constitution's requirement that federal agencies provide "fair notice" of the rules an agency requires.
In addition, in 2012 the FTC brought a significant action against the Wyndham hotel chain as a result of some data breaches the chain experienced. Wyndham has fought back, arguing that the FTC overreached its authority and cannot bring such an action until it publishes formal guidance on what data security measures companies are required to implement. The litigation is significant, since the parties are arguing over fundamental questions about FTC jurisdiction and whether companies (such as Wyndham and others) have received sufficient notice over what the FTC requires. The Wyndham and related cases should be monitored for further developments.