Back Off Business, Cybersecurity Is FTC's Turf Now

by Blank Rome LLP
Contact

On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s authority to police corporate cybersecurity practices. Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corp., which was supported by many prominent business groups, had argued the commission didn't have the power to regulate corporate data-security practices. While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.

It can be argued the growing influence of the FTC in the area of cybersecurity is the result of inaction rather than a deliberate plan to expand the reach of the commission. Despite a clear need, Congress has been unable to pass significant cybersecurity legislation, let alone a comprehensive bill addressing the rising threat posed by cyber attacks. The result of this inaction, lack of clear regulations and absence of a designated enforcement body is a power vacuum, and in Washington such vacuums will eventually be filled. In the case of cybersecurity, it is the FTC that has come forward to fill the void in cybersecurity enforcement.

The FTC has quietly moved to the forefront of the cybersecurity discussion by initiating enforcement actions following cyber attacks. These enforcement actions have resulted in the imposition of tens of millions of dollars in penalties, private settlements and expensive compliance obligations. When private settlements fail, the FTC has initiated litigation to hold corporations accountable for cyber breaches involving customer data. In the absence of cybersecurity legislation or specific grant of authority by Congress, one would be reasonable to question the legal footing upon which the FTC relies to initiate enforcement actions challenging cyber preparedness.

The FTC argued it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” With regard to consumer fairness and protection, the FTC believes Section 5’s “catch-all” prohibition unquestionably covers deceptive data-security practices. It further believes Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy, including cybersecurity. Wyndham and many other business organizations disagreed with this logic and raised their divergent views in the form of a direct challenge to the FTC’s interpretation of its own authority in a proceeding pending before the New Jersey federal court.

In FTC v. Wyndham Worldwide Corporation, et al., the commission initiated an action against Wyndham following a series of cyber breaches at several of the company's branded hotels, where customer credit card information was exposed. The FTC filed suit against Wyndham itself, even though each Wyndham-branded hotel is independently owned and operates a separate computer network. The FTC’s enforcement action did not allege any guest credit card information was compromised, that any improper charges were placed on the credit cards of Wyndham customers or that Wyndham dealt unfairly with its customers. The FTC pressed forward with an enforcement action based on its perceived, long-established authority under Section 5 of the FTC Act to protect consumers’ data from identify theft and other injury as a result of unreasonable data security measures.

The gravamen of the FTC’s action is the belief Wyndham did not maintain “reasonable and appropriate” data-security protections and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive. Unlike other companies pursued by the FTC, Wyndham did not retreat and aggressively defended itself against the allegations. Through its motion to dismiss, Wyndham directly challenged the FTC’s authority to regulate cybersecurity and to initiate enforcement proceedings by relying on Section 5.

In its first line of defense, Wyndham argued cybersecurity regulation and legislation should be developed through the legislative process, not by bureaucrats. Specifically, Wyndham suggested Congress, not the FTC, is the proper body to regulate cybersecurity and that it alone has authority over data-security standards. In support of this position, Wyndham noted that Congress has already “spoken” by enacting federal statutes authorizing particular agencies to establish data-security standards for specified industries or sectors. Wyndham further argued Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Wyndham also took the position that the FTC does not have the expertise or authority to establish data-security standards for the private sector, especially when the commission itself has been hacked.

In addition to challenging the alleged basis for the FTC’s enforcement authority, Wyndham noted that a particularly troubling aspect of the FTC’s enforcement regime is its failure to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations.

In practice, the FTC files an enforcement action against public Company A and enters a settlement agreement with the alleged offender that is confidential and not available to the public. The FTC can then proceed to initiate an action against Company B for violating Section 5 by failing to adopt the policies or procedures implemented through the confidential settlement with Company A. Wyndham questioned how businesses can ensure compliance with the unpublished requirements. Various associations, including the U.S. Chamber of Commerce and American Hotel & Lodging Association, have supported Wyndham by filing an amicus brief in support of the motion to dismiss.

For its part, the FTC was not prepared to accept any limitation on its ability to regulate cybersecurity using Section 5 of the FTC Act. In opposing the motion to dismiss, the FTC fervently maintained that its broad consumer protection mandate authorizes it to regulate the entire economy. Simply put, the FTC believes it currently has the right to protect consumers from known, evolving and unanticipated threats, without the need for a specific delegation of authority from Congress. The FTC characterized Wyndham’s suggestion that the FTC is prohibited from acting in any given sector of the economy — including cybersecurity — as unprecedented and unsupported.

With regard to the lack of formal regulations, the FTC disputes Wyndham’s contention regarding the necessity of guidelines, arguing it is simply not practicable to have highly particularized guidelines on data security. Arguing in support of a loose regulatory framework, the FTC believes it has provided considerable guidance to companies through public statements and 19 enforcement actions on data breaches. The FTC takes the position that this is sufficient to provide industry with “notice of different features of data security that must be evaluated in order to maintain a reasonable data-security program.” Analogizing cybersecurity to tort law, the FTC argued it will be up to the court to determine if a particular company’s data-security measures are “reasonable.”

Framing the parties' dispute, Judge Salas noted that Wyndham’s “motion to dismiss demands that this [c]ourt carve out a data-security exception to the FTC’s authority and that the commission publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.

On the central issue of whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas rejected the argument that permitting the FTC to exercise authority over data security would lead to a result “that is incompatible with more recent legislation and thus would “plainly contradict congressional policy.” Addressing Wyndham’s reliance on FDA v. Brown & Williamson Tobacco Corp., an important U.S. Supreme Court decision limiting the scope of the U.S. Food and Drug Administration's authority, Judge Salas found that “unlike the FDA’s regulation over tobacco, the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” In this regard, the failure of Congress to enact a comprehensive cybersecurity regime inured to the benefit of the FTC. Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.”

After finding that Section 5 permits the FTC to wade into cybersecurity waters, the court addressed the argument that it would violate basic principles of fair notice and due process to hold Wyndham liable absent clear “rules, regulations or other guidelines explaining what data-security practices the [FTC] believes Section 5 to forbid or require.” Rephrasing Wyndham’s argument, Judge Salas noted the issue is not whether the FTC must provide fair notice, but rather “whether fair notice requires the FTC to formally issue rules and regulations before it can file an unfairness claim in federal district court.”

After analyzing the law, the court ultimately concluded the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that "[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

The outcome of the motion to dismiss is significant to the parties in this action and, depending how other courts rule, may prove to be a pivotal event when it comes to shaping the future of cybersecurity enforcement. With the wind at its back and its authority upheld, the FTC will most likely be further empowered to regulate cyber breaches and to expand its influence in the area of cybersecurity enforcement. In light of this decision, companies would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms and evaluate cyber protocols in light of all relevant FTC rulings and statements. These steps will go a long way to ensure one’s cybersecurity practices are deemed adequate and “commercially reasonable” by the FTC.

"Back Off Business, Cybersecurity Is FTC's Turf Now," by Steven L. Caponi appeared in the June 10, 2014 edition of Law360. To learn more, please click here or visit www.law360.com. Reprinted with permission from Law360.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blank Rome LLP | Attorney Advertising

Written by:

Blank Rome LLP
Contact
more
less

Blank Rome LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!