Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

by Davis Wright Tremaine LLP
Contact

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding could be reversed in any ultimate appeal of a later decision on the merits).

More importantly, as the district court itself noted, “A liability determination is for another day.” For this reason, “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.  Instead, the Court denies a motion to dismiss given the allegations in this complaint—which must be taken as true at this stage—in view of binding and persuasive precedent.”  Therefore, the FTC’s position that it provided “fair notice” of the applicable data security standards will now go on to be determined after a full evidentiary record has been developed, including the consideration of evidence whether Wyndham’s practices actually caused or were likely to cause substantial injury to consumers that was not reasonably avoidable by those consumers.
The Power of the FTC
In rejecting Wyndham’s arguments that the FTC’s Section 5 authority does not extend to free-roaming regulation of data security, the district court tacitly began with the premise that virtually any unfair practice affecting commerce is within the power of the FTC to regulate, absent legislation contradicting that power in specific areas. While our next installment of this series will examine the historical context of the FTC’s unfairness authority and earlier criticisms of the agency’s “shifting course” and “ad hoc” enforcement, we must briefly address the FTC’s authority today, as it cannot be completely disassociated from the question what constitutes fair notice.
In arguing that the FTC did not have authority to regulate data security, Wyndham pointed to a number of public statements made by the FTC in previous years in which the FTC stated that it did not have the power to generally enforce data security lapses under the unfairness prong.  In fact, the FTC had asked Congress to grant it the broad authority over data security which the agency did not believe it possessed under Section 5.
Yet Judge Salas “was not convinced” that these statements added up to the type of unequivocal disavowals of authority similar to those that the FDA had given with respect to cigarette regulation, as addressed in Brown v. Williamson. Judge Salas did recognize the fact that the FTC seemed to have reversed its position in subsequent years, but suggested that an agency should not be locked into its initial statutory interpretation, and pointed to a statement to that effect by the Supreme Court in Brown v. Williamson.  As in all cases where an agency changes direction, it must give a reasoned explanation for the change.
Fair Notice
The District Court next turned to Wyndham’s argument that the FTC failed to provide “fair notice” as to the standard of conduct Wyndham was required to follow because it had not promulgated any rules or regulations on point; in short, Wyndham maintained that businesses should not be forced to “divine” the FTC’s belief as to what practices will constitute unfair conduct subjecting it to an enforcement action. Wyndham also argued that the appropriate test for determining whether the FTC had provided fair notice was whether the standard of conduct for businesses such as Wyndham had been stated with “ascertainable certainty,” and that the standard could not be met by announcing rules “for the first time in an enforcement proceeding.” Wyndham argued that “if the FTC could regulate data security at all, it must do so through published rules that give the parties fair notice of what the law requires.”
The Commission does have the authority, within certain limits, to prescribe “interpretive rules and general statements of policy with respect to unfair or deceptive acts or practices in or affecting commerce” and “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce,” known as the “Magnuson-Moss” rulemaking procedures. However, these procedures go well beyond those set forth in the Administrative Procedures Act. Specifically, when prescribing “interpretive rules and general statements of policy,” the Commission can only act where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent, either because it has issued cease and desist orders regarding such acts or practices or other information indicates a widespread pattern of such acts. When this threshold is met, the FTC must publish an “advance notice” of the rulemaking (in additional to and prior to the publication of the actual proposed rulemaking) that meets certain criteria and invites comment. The Commission must also submit such advance notice of proposed rulemaking to the Committee on Commerce, Science, and Transportation of the Senate and to the Committee on Energy and Commerce of the House of Representatives (the “Committees”). Thirty days before the publication of the actual notice of proposed rulemaking, the Commission must submit such notice to the same Committees.
Similar burdens are associated with prescribing rules that define with specificity the act or practices which are unfair or deceptive. In such a rulemaking, the Commission must publish a notice of proposed rulemaking stating with particularity the text of the proposed rule, including any alternatives, the reason for the proposed rule, permit public comment, and provide an opportunity for an informal hearing. In all, the burdensome provisions of the Magnuson-Moss rulemaking requirements are practically prohibitive, as indicated by the FTC in its testimony before a House of Representatives subcommittee in 2011. This, perhaps in addition to the Commission’s unclear authority to act in this realm, has resulted in a complete void of data security rules by the Commission.
Undeterred, the FTC  argued in the Wydham Worldwide case that “agencies are permitted to articulate principles through adjudication unless the action would constitute an abuse of discretion (such as a ‘sudden change of direction’) or would violate the Administrative Procedure Act (such as by bypassing a pending rulemaking proceeding).” In the context of data security, the FTC argued that it has been “investigating, testifying about, and providing public guidance” for more than a decade and therefore, in the absence a pending rulemaking proceeding, enforcement actions were appropriate vehicles under its Section 5 authority.
The district court agreed with the FTC and found that where an agency is given the choice of engaging in rulemaking or proceeding by individual adjudication, that choice is typically left to the discretion of the agency. The very breadth of the FTC Act, the court held, suggested that the agency needs flexibility to address complex and differing situations. Refusing to find whether the correct standard was “ascertainable certainty”, the court held that there was no requirement that the FTC formally publish regulations before bringing an individual claim. In any event, the court found, there was sufficient “notice” found in “the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure.”
There is a tension between Judge Salas’ rejection of numerous consistent public statements by the FTC disavowing its power as “unconvincing,” discussed above, and the judge’s willingness to accept a patchwork of publications and statements and consent decrees by the FTC as giving fair notice of a discernible standard for reasonable data protection that businesses everywhere must understand and follow.  Indeed, the public statements and business guidance brochures can hardly meet the specificity of an interpretive rule or general statement of policy that would be required to go through a rigorous public (and congressional) comment period and give affected businesses an opportunity to conform to the any applicable standard.
While not cited by the district court, a recent article by Professors Daniel J. Solove and Woodrow Hartzog suggests that the FTC’s various pronouncements can be fairly understood as a body of “common law” for privacy. In the article, the authors provided “a rather detailed list of inadequate security practices” pulled from the “FTC’s data security jurisprudence”. Other commentators have also opined that the FTC has already developed a “robust data protection body of law” through its enforcement actions.
The question is whether this is the manner in which we want our agencies to promulgate guidance for all businesses operating with the jurisdiction of the United States on a topic as important as data security, rather than through formal rulemaking. Moreover, do we want agencies to then be able to bring standalone enforcement actions for violations of that guidance? While it may be possible for scholars to assemble lists of standards from various sources, is this the optimal way for companies to ascertain the applicable standards and apply them on the ground? How thoroughly must a company scour FTC literature, public statements and settlements, and to what extent must every piece of guidance be followed—for instance, is “Privacy by Design” now a requirement that must be followed, and what type of documentation of compliance with that rubric will suffice if the FTC challenge’s a company’s compliance? How will a company ever feel confident that it is providing “FTC-sufficient” protection for its customers’ data?
As noted above, the “fair notice” ruling by the district court was only preliminary, and will be tested again after discovery. Wyndham will presumably need to demonstrate that the various publications and pronouncements by the FTC are too incomplete, too vague, too contradictory, or too confusing to constitute fair notice. However, the tenor of the court’s decision certainly suggests that Wyndham may continue to face an uphill battle on these claims.
In our next post, we will attempt to place the Wyndham Worldwide decision in a broader context: What does it tell us about the future of enforcement in data security; how Congress may react (or not) to this decision; and finally, what should businesses do in light of this new reality?

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.