If the reaction to recent data security breaches at national retailers Target, Michael’s and Apple is any indication, protecting consumer information will continue to be a hot topic. Yet while consumer concerns about theft are universal, as opposed to industry specific, regulatory protection lags behind. To date, no federal regulation or law sets forth data-security standards that apply to all companies engaged in interstate commerce.
The Federal Trade Commission (FTC) is doing its best to fill the void. Since 2000, the FTC has brought more than 40 data security enforcement actions, and just three months into 2014, the FTC has negotiated settlements with Fandango and CreditKarma for alleged failures to take reasonable steps to secure consumers’ personal information. The FTC relies on Section 5(a) of the FTC Act as its authority for enforcement actions; the statute provides that “unfair or deceptive acts or practices in or affecting commerce…are…declared unlawful.” Unfair practices are broadly defined as those that “cause or [are] likely to cause substantial injury to consumers…not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Similarly, in In re LabMD, Inc., the FTC issued a complaint after two data breaches involving the personal information of more than 9,000 consumers. The FTC alleged that LabMD’s failure “to employ reasonable and appropriate measures to prevent unauthorized access to personal information” was an unfair trade practice causing substantial consumer injury
Both Wyndham and LabMD moved to dismiss, arguing that the FTC lacks statutory enforcement authority without explicit delegation from Congress. Further, they argued that Congress already enacted several other statutes on data security, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In particular, LabMD argues that the FTC has no enforcement authority against it because the data at issue is protected health information and Congress has already established pertinent regulations, including HIPAA, which are enforced by the Department of Health and Human Services (HHS) — thereby precluding FTC enforcement through Section 5. The Wyndham defendants also challenged the sufficiency of the pleadings under Rules 8(a) and 9(b) of the Federal Rules of Civil Procedure, and whether substantial consumer injury occurred in light of reimbursement to consumers for any financial losses from credit card theft in excess of $50. In what appeared to be their strongest argument, both LabMD and Wyndham cited due process concerns about the fairness of enforcing standards only after a significant breach, without notice of what is prohibited. Both argued that in the absence of formal rules setting data security standards, Section 5 alone fails to provide guidance or minimum compliance standards.
Not surprisingly, the FTC disagreed. In its view, “Congress deliberately delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changing economy.” With respect to HIPAA and similar statutes, the FTC contends no legislation exists that “forecloses the Commission from challenging data security measures” in accordance with Section 5. With respect to due process, the FTC points to its public statements and enforcement actions as notice of what constitutes reasonable data-security measures. The FTC also referenced the National Institute of Standards and Technology (NIST) publications, among others, as available sources of guidance regarding reasonable data security.
On April 7, 2014, the Wyndham court sided with the FTC, denying the motion to dismiss and finding unequivocally that the FTC had authority to bring an unfairness claim in the data security context. Judge Esther Salas of the U.S. District Court for the District of New Jersey found that the statutes cited by Wyndham — HIPAA, GLBA, etc. — seemed “to complement—not preclude—the FTC’s authority.” With respect to due process considerations, Judge Salas was not persuaded that fair notice required formal rulemaking before filing an FTC action. Instead, she found ample notice in the language in Section 5, the FTC’s sources of guidance on reasonable data-security measures, and prior FTC consent agreements and opinions.
Judge Salas also found that the FTC sufficiently alleged a claim under Section 5. Specifically, Judge Salas held that the complaint permitted the court to infer that the data security practices “caused theft of personal data, which ultimately caused substantial injury to consumers.” The court was not persuaded by Wyndham’s argument that there was no actual injury because federal law limits consumer liability for unauthorized use of a payment card to $50, and that all major banks waive the $50 limit. Instead, the court held as sufficient that the FTC’s allegations that at least some consumers suffered “unreimbursed financial injury.” The court also rejected the Wyndham defendants’ argument that no injury-in-fact occurred, finding instead that the FTC’s allegation of misuse in the form of fraudulent charges to consumers’ accounts was enough.
While the court cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” companies can take steps to minimize the risk of an FTC enforcement action.