The FTC and Data Security
The Federal Trade Commission (FTC) has long been known as the nation’s leading data security enforcement agency, with a portfolio of more than 60 enforcement actions since the groundbreaking BJ’s Wholesale settlement in 2005. At the same time, in the past few years, the FTC also has faced significant challenges to its claimed authority in this area. What can we expect to see in 2017 and beyond from the FTC about data security? There are three main avenues to watch in the year ahead.
FTC Program Development
For about a decade, the FTC built its data security enforcement record through a series of enforcement actions, arising from various scenarios related to security breaches and other security concerns, where companies allegedly failed to implement reasonable and appropriate data security measures. These cases were initiated by the FTC through its investigatory authority, and then typically resulted in settlements with the affected companies. Through these actions, the FTC built what Professors Solove and Hartzog have called “the common law of privacy.” See Solove and Hartzog, “The FTC and the New Common Law of Privacy,” 114 Columbia Law Review 583 (2014). Relying on its general enforcement authority under Section 5 of the FTC Act, and utilizing the program it developed under its specific Gramm-Leach-Bliley Act (GLB) authority (where the FTC has residual authority over “financial institutions” that are subject to the law but not directly subject to enforcement by another federal agency), the FTC developed data security principles through its pursuit of individual cases. The FTC’s cases relied on the key prongs set out under the GLB “safeguards” rule. Standards for Safeguarding Customer Information; Final Rule – 16 CFR Part 314 (May 23, 2002). This standard requires companies to:
- Designate an employee or employees to coordinate the information security program.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
- Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards.
- Evaluate and adjust your information security program in light of the results of the testing and monitoring of the program, any material changes to operations or business arrangements, or any other circumstances that the company knows or has reason to know may have a material impact on the information security program.
For many years, and more than 60 data security actions, the FTC moved forward to build its common law through settlements with affected companies. Relying on its authority from 15 U.S.C. § 45(a), which prohibits “unfair ... practices in or affecting commerce,” these settlements identified problematic practices and provided guidance to other companies on how the FTC viewed the concept of “reasonable and appropriate” data security.
Challenges to FTC Authority
Then, after all these settlements, Wyndham Hotels challenged the FTC’s overall authority in this area, asserting (among other arguments) that Section 5 did not authorize the FTC to require such data security practices. After hotly contested litigation, the FTC prevailed over Wyndham, through the Third Circuit’s decision in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). Essentially, the court held that there were data security practices that could be subject to enforcement under 15 U.S.C. §45(a), and that Wyndham had sufficient notice of these practices to make enforcement constitutionally appropriate.
While the Wyndham case was proceeding, the FTC faced a second challenge, from LabMD. The LabMD case (which has an extremely complicated and continuing procedural history) originally presented two issues. First, like Wyndham, LabMD asserted that the FTC had no authority in this area. Then, LabMD also asserted that the FTC was not able to take action against an entity regulated by the Health Insurance Portability and Accountability Act (HIPAA). (LabMD is a “covered entity” under the HIPAA Rules, subject to primary enforcement from the HHS Office for Civil Rights.) While these challenges were proceeding, an FTC Administrative Law Judge (ALJ) denied FTC authority on a third ground—ruling that the FTC could only act in situations where there was consumer harm. While that ALJ decision (not surprisingly) was overturned by the FTC commissioners, these issues are continuing in litigation.
So, in 2017 and beyond, we can expect continued attacks on the FTC’s authority to pursue cases in this area, on both general grounds related to overall notice and consumer harm, and in connection with whether specific activities constitute unfair practices. While many companies will still find a settlement preferable (because the settlement terms tend to impose a requirement for reasonable and appropriate security and do not typically involve monetary payments), some companies will follow Wyndham and LabMD in making the FTC work harder on its cases.
For much of this period where it has engaged in data security enforcement activity, the FTC also has pursued a legislative agenda. This approach has included two related concepts—a federal data breach notification law and a proposal for statutory standards related to data security. The data breach proposal could fill in existing gaps in the law today, by creating a consistent and broadly applicable federal standard rather than relying on a complicated variety of state laws applicable in most (but not all) states. In addition, a national approach with preemption of state laws could create consistency and reduce ambiguities and compliance challenges, to the benefit of both companies and consumers.
Despite maintaining in litigation that it has authority to pursue these data security cases, the FTC also has asked Congress to implement national data security standards. The FTC’s desire for statutory data security standards has always been somewhat odd. The FTC has pursued its generally applicable data security enforcement program without expressly applicable statutory standards. It has asserted—aggressively when challenged—that it has the authority to pursue these cases. If the Wyndham or LabMD challenges had resulted in the denial of FTC authority, the need for a statute would have become acute. Now, with the FTC (so far) maintaining its authority, the need for a law is less clear. Nonetheless, the FTC’s current commissioners (just three because of appointment tensions) all recently testified before Congress on the need for these proposals. To date, Congress has been unmoved by these pleas on both legislative ideas (and has so far been unmoved by the broad variety of major security breaches). While proposals are written and some move through committee, there has been little progress on these laws in many years. So, with a new President and Congress coming in 2017, we will watch to see if there is movement in this area. Any limitations on the FTC’s authority through ongoing litigation should push Congress more assertively to enact legislation on these issues.
There is a third prong of this debate which has received less publicity—and which may ultimately have a broader impact on how the FTC defines its data security authority. As part of a “systematic review of all current Commission regulations and guides” the FTC has initiated a regulatory proceeding to review its standards under the Gramm-Leach-Bliley rule. 81 Fed. Reg. 61632 (Sept. 7. 2016). The first step in this process is a “Request for Comment” related to the current GLB Safeguards rule, where the FTC seeks input on a broad variety of issues involving the current standards, primarily whether the rule is too strong or too weak, and what should be done to change the Safeguards rule in the future. Companies have until November 7, 2016, to submit their comments.
Presumably, the FTC will move forward with some proposed changes to this rule. The big question is whether the FTC will move from a relatively general standard under GLB (with the general parameters identified above), to create a more prescriptive approach. If it does this for GLB requirements for “financial institutions,” and GLB was the standard for the FTC’s “non-GLB” enforcement activities, will these new GLB requirements become part of the broader enforcement arsenal? And if so, will this result in even more challenges to the FTC’s authority from affected companies? Companies in all industries should watch this current regulatory proceeding (which presumably will result in a proposed new rule as a next step, following the request for comments), as this new rule likely will define the standards that the FTC will apply not only in connection with GLB-regulated entities but also on a broader basis across its entire enforcement authority.
The FTC, while not alone in privacy and data security enforcement, remains the most visible and active regulator of a broad variety of privacy and data security practices. While its authority remains under challenge, the agency continues to investigate a vast array of data security practices. While its overall set of cases certainly provides a good road map for appropriate data security practices for virtually all companies, the FTC also continues to break new ground with each new settlement. Companies in every industry—including those whose only involvement with personal data is through company employees—should be paying close attention to these FTC developments, and taking action to ensure that the company is engaged in appropriate practices to protect the personal data held by the company.