Better Late than Never: FTC Data Security Initiative a Potentially Useful Guide to “Reasonableness”
On June 30, 2015, the Federal Trade Commission (FTC) announced a new data security initiative called “Start With Security.” The stated purpose of the initiative is to use the FTC’s experience in data security enforcement actions to help businesses adopt appropriate measures to protect customers’ data. The initiative has three components: a website that consolidates the FTC’s guidance on data security, a series of conferences aimed at helping small and medium businesses, and a “Guide for Business” (the Guide) that outlines 10 lessons derived from the FTC’s data security enforcement actions. Notably, the initiative comes amid judicial review of the fairness of FTC enforcement activity in the absence of clear rules or expectations.
The “Guide for Business”
The Guide is a must-read for general counsels and chief security officers. The FTC has brought over 50 enforcement actions against companies for having unreasonable data security practices under Section 5(a) of the Federal Trade Commission Act (FTC Act), which prohibits “unfair or deceptive acts or practices.” The FTC’s admonitions about security always return to the agency touchstone of “reasonableness.” The Guide is the FTC’s most comprehensive public statement about what it considers to be an unreasonable data security practice.
The Guide, however, is not a detailed checklist of acceptable cybersecurity practices. The FTC is not claiming to weigh in on granular issues like how a firewall should be configured, whether data at rest should always be encrypted, or when to use two-factor authentication. Rather, the FTC returns to its “reasonableness” standard and confirms that “reasonableness” will change according to the particular characteristics of each business.
The FTC’s fluid and situation-specific approach to reasonableness is reflected in the Guide’s data security lessons. The lessons, like “Start with Security,” and “Control Access to Data Sensibly,” are very broad and, in and of themselves, do little to inform a company about whether a particular data security practice is reasonable. That said, the Guide is not so abstract as to be meaningless. The Guide includes summaries of each enforcement action that supports a particular lesson, including the specific facts and practices that the FTC stated were unreasonable in that case.
The Wyndham Litigation
The Guide is clearly an attempt to address criticisms that the FTC has not provided sufficient detail about what it considers an unreasonable data security practice. The most pointed of these criticisms came from Wyndham hotels in the FTC’s ongoing data security enforcement action against the hotel chain. The FTC complaint alleges that Wyndham failed to implement reasonable data security practices, allowing Russian hackers to steal significant amounts of customer data.
The FTC prevailed against Wyndham’s motion to dismiss in the district court, and the case is now before the U.S. Court of Appeals for the Third Circuit, in FTC v. Wyndham, No. 14-3514. Among other points, Wyndham argued that the FTC failed to adequately notify companies through “rules, regulations, or other guidelines” as to what constitutes reasonable data security practices. Without clearly defined standards for data security, Wyndham argues that any enforcement action by the FTC under Section 5 would violate principles of fair notice and due process.
At oral argument on March 3, 2015, the Third Circuit appeared to take Wyndham’s concerns about notice seriously. During argument, Judge Thomas L. Ambro asked, “Assuming that complaints and consent decrees or decisions on motions to dismiss are clear enough to give notice when companies read them, how do companies know when they should be reading them? If I were counsel, and I was advising somebody, that wouldn’t be the first place I would necessarily look…as to whether there was an unfair [data security] practice.” The FTC replied that “careful general counsel” should be looking to and following the FTC’s enforcement actions.
Judge Ambro then asked, “Have you informed the public that it needs to look at complaints and consent decrees for guidance?” At oral argument, the FTC was not able to provide a definite answer. It can now. The Guide is a clear communication to the public that the FTC will be looking to its past data security enforcement actions in determining whether or not a data security practice is unreasonable.
The FTC may have been eager to push the Guide out now, before a somewhat skeptical Third Circuit decides the Wyndham case. However, while the initiative may aid the FTC in educating the private sector, it should not alter the fate of its case against Wyndham. The guidance is not detailed, prescriptive, or binding, and even it if were more robustly detailed, offering it now does nothing to establish that Wyndham was on notice of FTC expectations at the time of its cyberattacks in 2008–2010. Indeed, this initiative could be seen as confirming the lack of earlier notice. Regardless of the impact on the Wyndham litigation, it is clear the agency is trying to put businesses on notice that they should review the FTC’s prior enforcement actions in determining whether a data security practice is reasonable.
Using the Guide
The Guide has the advantages of being brief and accessible. It should be a fairly simple task for general counsels and chief security officers to take steps to make certain that their IT department can affirmatively state that they are not engaging in any of the practices listed in the FTC’s guidance. And while it is no safe harbor or shield from liability, an assessment using the FTC’s Guide will likely be looked on favorably by the FTC should a data breach occur. More importantly, an assessment is a relatively low-cost way to evaluate cybersecurity and potentially prevent a data breach.
As the FTC has warned, companies should be paying attention to the FTC on questions of data security and cybersecurity. In the absence of clear rules of the road or standards of care, cautious companies can expect the FTC to continue to demand that companies meet its view of “reasonable” security. This initiative is one more signal of what that actually means.
 FTC Press Release, June 30, 2015 (available here).
 FTC Data Security Database (available here).
 FTC “Start with Security: A Guide for Business” (available here).
 See, e.g., Prepared Statement of the FTC, Data Breach on the Rise: Protecting Personal Information From Harm, Before the Committee on Homeland Security and Government Affairs, United States Senate (Apr. 2, 2014) (“The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.”).
 FTC Data Security Database (available here).
 Likewise, the litigants in the LabMD proceeding have hotly contested the FTC’s approach, which LabMD has argued amounts to 20:20 hindsight. See In the Matter of LabMD, Inc., No. 9357, 2014 WL 2331045, LabMD’s Pre-Trial Brief.