Reasonable Doubt: Data Privacy, Cybersecurity, and the FTC

by Robins Kaplan LLP
Contact

Today’s cybersecurity environment demands that every business establish effective corporate data privacy and consumer information security systems and practices. But, unfortunately, no single cybersecurity law exists to provide the clarity and guidance companies need. Instead, a complex, topic-driven web of federal laws and regulations make up our current privacy and data security framework.1

While Congress has proposed a solution to this situation, it does not look like any of the pending legislation will come to fruition anytime soon. In the meantime, businesses must look to other regulatory bodies—and specifically the FTC— for assistance. The FTC has acted where Congress hasn’t and has promised to fill and police the current cybersecurity void. What’s more, the FTC has gained legal authority in this arena, as a court recently recognized its power to regulate cybersecurity.

So far, however, the guidance the FTC has offered so far has been confusing at best. In short, while the agency’s guidance is valuable, it may be a challenge to implement proactively. According to FTC Chairwoman Edith Ramirez, “Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers." Thus, failure to take “reasonable” steps could lead to your business facing disastrous consequences. 

So what guidance does the FTC provide? What regulatory scheme, industry standard, or ten-step program does it require? Has it laid out a guiding maxim to aid businesses in setting policy? This article assesses the core of the FTC’s power, the regulations it has created, and the vast gaps that continue to exist in this area.

The root of the FTC’s power: Unfair or deceptive acts or practices

The FTC has asserted its authority to regulate the handling of consumers’ sensitive personal information under the “unfair or deceptive acts or practices” prong of Section 5 of the FTC Act. Under Section 5, an act or practice is unfair if “it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.”2  An act or practice is deceptive “if there is a misrepresentation, omission, or other practice, that misleads the consumer acting reasonably in the circumstances, to the consumer’s detriment.”3  The FTC has asserted its authority under each of these prongs—(1) unfair and (2) deceptive—both separately and collectively.

Wyndham Hotels: The FTC’s power reinforced

The FTC gained court approval for its ability to protect consumers from harmful, substandard data security practices in a case against Wyndham Hotels. In this case, Russian criminals hacked into the hotel chain’s reservation system. The hackers obtained customers’ credit card and other personally identifiable information. The FTC sued Wyndham over the breach.

The agency alleged that hotel guests suffered more than $10 million in fraudulent charges and other identity theft and credit harms. In the suit, the FTC sought a permanent injunction requiring Wyndham to secure its computer systems. Specifically, the agency asserted arguments under both prongs of Section 5. The FTC argued:

• Wyndham’s failure to protect customers’ personally identifiable information was an unfair business practice; and
• Wyndham’s privacy policy was deceptive, as it made cybersecurity promises it didn’t keep.

Wyndham challenged the FTC’s authority, stating that the FTC had exceeded its enforcement authority by pursuing its lawsuit. The chain also argued that the consumer protection statute doesn’t cover security in cyberspace. In the first ruling of its kind, the court sided with the FTC. The court refused to "carve out a data-security exception to the FTC's authority." While the court noted that its ruling "does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked," it also set no specific limits on that authority. 

Fandango and Credit Karma: “Reasonableness” in action

The FTC’s “reasonable” steps standard appears clearly in two similar cases: one against Fandango, the other against Credit Karma. According to the FTC, these companies failed to secure the transmission of consumers’ personal information through their mobile apps. The Fandango Movies app allows users to view show times, trailers, and reviews, as well as buy tickets. Credit Karma’s mobile app allows users to monitor their credit and financial status. In both cases the FTC alleged the same error; when they designed their mobile apps, Fandango and Credit Karma both disabled Secure Sockets Layer (SSL) certificate validation.

Mobile operating systems, such as Apple’s iOS and Google’s Android, provide tools to implement the industry-standard SSL so as to secure sensitive transactions. Properly implemented, SSL secures an app’s communications and keeps an attacker from intercepting sensitive personal information submitted by consumers. By disabling SSL, both companies allegedly left their apps vulnerable to “man-in-the-middle” attacks. These attacks allow a third party to intercept any of the information the apps sent or received. The FTC alleged that this type of attack is particularly dangerous on unsecured public Wi-Fi networks. These networks, often found at coffee shops, airports and shopping centers, are where consumers commonly use these apps.

The FTC alleged that by overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app. This exposed sensitive information, including credit card numbers and security codes, zip codes, expiration dates, email addresses and passwords. Credit Karma’s apps exposed consumers’ Social Security numbers, names, birthdates, home and email addresses, phone numbers, passwords, credit scores, and more.

The complaints also alleged that the Fandango app assured consumers during checkout that the app securely stored and transmitted their information. Similarly, the FTC accused Credit Karma of assuring its customers that it followed industry-leading security precautions. But such precautions would include the use of SSL to secure customer data.

In the end, the FTC asserted that both companies failed to perform basic and widely available security checks that would have caught the problem. Further, the FTC alleged that each company could have prevented such vulnerability. In essence, the FTC argued that Fandango and Credit Karma failed to take reasonable steps. Both companies agreed to settle their claims prior to trial.

Be “reasonable:” 5 benefits of working with a cybersecurity lawyer

The few cases highlighted above serve as just a sample of the steady stream of FTC-driven data security and privacy suits. Until Congress takes further action to standardize the area of cybersecurity regulation, this kind of FTC action is sure to continue.

Creating a comprehensive data security practices policy can help protect your business from becoming the subject of an FTC enforcement action. Integrating legal counsel into the creation and ongoing review of that policy provides additional strategic benefits. For example, counsel can:

• Act as an objective sounding board to IT staff tasked with designing, implementing, and reviewing data practices.
• Mediate between business-driven design decisions and IT-driven security concerns, assisting in the balance of power between both sides.
• Engage outside consultants to check practices against industry standards, bringing an added level of objectivity, and also protecting the attorney client privilege.
• Review privacy policies, and test representations made to consumers, and evaluate how outsiders might exploit those representations in court.
• Serve a critical role in litigation-testing the “reasonableness” of security practices.

Legal counsel is to cybersecurity policies as IT is to data practices—you really should not have one without the other. After all, the testing of how reasonable your practices are will ultimately happen in a courtroom, not a boardroom.

Conclusion

The cybersecurity and data privacy regulatory field has grown out of a patchwork of laws from a variety of government agencies, including the FTC. As the FTC continues to gain authoritative ground in pursuit of lawsuits on behalf of wronged consumers, companies must take great care to create strong cybersecurity policies. These policies must specifically address the FTC’s “reasonable” steps guideline. Your best chance of meeting that standard—and staying out of trouble with FTC—requires that you work closely with an experienced data privacy and cybersecurity lawyer when creating and updating your data privacy and security policies.

1For example, the Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information; the Gramm-Leach-Bliley Act (GLB Act) regulates financial information; the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA) cover information used in credit, insurance and employment decisions; and the Children’s Online Privacy Protection Act (COPPA) regulates personal information obtained online from children under the age of 13.
215 U.S.C. § 45(n)
3Fed. Trade Comm’n, Policy Statement on Deception, reprinted at 103 F.T.C. 174-5 (1984)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robins Kaplan LLP | Attorney Advertising

Written by:

Robins Kaplan LLP
Contact
more
less

Robins Kaplan LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.