"End of Year Thoughts on FTC Data & Security Requirements"
Two recent events involving the FTC demonstrate that the FTC’s previously-broad authority to regulate companies’ data security provisions may have taken a hit, but that the FTC still has significant power over companies that collect and store consumer information.
Authority of FTC. The FTC generally has authority under federal law to bring a cause of action if it can demonstrate that a company’s actions towards consumers caused or are likely to cause “substantial injury.” The FTC has used this authority in dozens of situations to assert that a company’s data security provisions were insufficient. The FTC’s theory is that these weak provisions could cause “substantial injury” to consumers, especially after a breach of the consumer information occurred, by, for example, allowing hackers to commit identity theft. Few companies challenged the FTC’s assertion of authority.
LabMD a Blow to FTC. One company, however, that did challenge the FTC was LabMD. LabMD and the FTC battled for several years over whether LabMD’s data security practices were insufficient. Last month, an administrative law judge hearing the dispute between the two parties determined that the FTC failed to show that LabMD’s data security practices caused, or were likely to cause, substantial consumer injury. The judge noted that there was no evidence that any consumer had been actually injured, even though an unauthorized third party had accessed LabMD’s consumer information. Thus, the court dismissed the case. However, the FTC quickly appealed, so the case remains in limbo.
Wyndham Settlement Offers Guidance to Companies. Another situation where the FTC brought a claim alleging insufficient data security provisions involves the Wyndham hotel chain. A few months ago, the Third Circuit ruled that the FTC has authority to regulate a private company’s data security practices—a boost to the FTC’s authority (in contrast to the more-recent LabMD decision).
Given the Third Circuit court ruling, Wyndham and the FTC entered into an order by which Wyndham would agree to follow certain data security protocols, including:
- Complying with the PCI DSS and other standards developed by the PCI Security Standards Council;
- Conducting regular risk assessments and creating reasonable safeguards;
- Creating barriers (e.g., firewalls) between corporate servers and those of its franchisees;
- Ensuring, by contract, that service providers who have cardholder data appropriately safeguard such data; and
- Hiring, for the next twenty years, a third party to assess whether Wyndham has followed these standards.
These safeguards are specific to Wyndham. However, the order offers insight about what the FTC may expect other companies to do and may serve as a “best practice.” In fact, even companies with no consumer information may want to review what was required of Wyndham.