Our current legal scheme for data privacy and security is a patchwork of laws. Although there is a proposed bill at the U.S. Capitol, Congress has yet to enact any comprehensive data security legislation and probably will not do so anytime soon. For the time being, expect that the United States Federal Trade Commission (FTC) will continue to fill that void. The FTC has focused significant attention on privacy and data security of consumer information in the last several years. Having just scored a court victory recognizing its authority to regulate cyberspace, the agency will continue to have a major presence in the changing technological and data privacy landscape.

But those looking for clear-cut, easy to follow guidance will be sadly disappointed. In between the vast gaps in the existing legal framework, the FTC has vowed to police the cybersecurity void. The agency’s guidance, however, may be a challenge to implement proactively. What guidance does the FTC provide? What regulatory scheme, industry standard, or ten-step program is required? Perhaps a guiding maxim? “Companies should take reasonable steps to secure sensitive consumer information,” FTC Chairwoman Edith Ramirez has said. “When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”

Wyndham Hotels

The Wyndham Hotels chain found out a few years ago that the FTC would be quick to act when the hotel chain’s reservation system was hacked by Russian criminals, making off with customers’ credit card and other personally identifiable information. Wyndham was sued by the agency, alleging that hotel guests suffered more than $10 million in fraudulent charges and other identity theft and credit harms. In the suit, the FTC is seeking a permanent injunction requiring Wyndham to secure its computer systems. The agency asserted that what Wyndham told consumers in its privacy policy was deceptive; in other words, Wyndham allegedly made cybersecurity promises it couldn’t keep. The FTC also alleged that Wyndham’s failure to protect customers’ personally identifiable information was an unfair business practice.

Wyndham challenged the FTC’s authority, arguing that the consumer protection statute that the agency enforces cannot be stretched to cover security in cyberspace. Wyndham asserted that in its suit against the company, the FTC had exceeded its enforcement authority. In a 42-page ruling, and the first ruling of its kind, the court sided with the FTC and refused to “carve out a data-security exception to the FTC’s authority.” While the court also noted that its ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” no specific limits on that authority were laid out.

Patchwork of laws

For better or for worse, the United States lacks a single unified law or statute that regulates the privacy and data security of consumer information. Rather, our privacy and data security framework is made up of an array of federal laws that identify and regulate specific areas. These laws and regulations are enforced by a range of federal agencies that often operate in tandem with state legislative regimes. These federal laws and regulations are intended to protect consumers from the risks related to certain types of consumer information obtained through certain transactions. For instance, sensitive health information is protected by the Health Insurance Portability and Accountability Act (HIPAA); financial information is regulated by the Gramm-Leach-Bliley Act (GLB Act); information used in credit, insurance and employment decisions is covered under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA); and personal information obtained online from children under the age of 13 is regulated by the Children’s Online Privacy Protection Act (COPPA).

Additionally, the FTC has asserted its authority to regulate the handling of consumers’ sensitive personal information under the “unfair or deceptive acts or practices” prong of Section 5 of the FTC Act.  Under Section 5, an act or practice is unfair if “it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.”  An act or practice is deceptive “if there is a misrepresentation, omission, or other practice, that misleads the consumer acting reasonably in the circumstances, to the consumer’s detriment.” The Commission has asserted its authority under each of these prongs — unfair and deceptive — both separately and collectively.

Recent FTC actions

The FTC has brought scores of data security cases over the years. Some recent examples are illustrative of both the agency’s continuing interest in cybersecurity and the evolving nature of the standards applied. Two companies, Fandango and Credit Karma, recently agreed to settle claims that they misrepresented their mobile app security by failing to secure the transmission of consumers’ personal information through their mobile apps. The Fandango Movies app allows users to view show times, trailers, and reviews, as well as buy tickets. Credit Karma’s mobile app allows users to monitor their credit and financial status. In both cases, the FTC alleged the same error: When they designed their mobile apps, Fandango and Credit Karma both disabled Secure Sockets Layer (SSL) certificate validation. Mobile operating systems, such as Apple’s iOS and Google’s Android, secure sensitive transactions by providing app developers with tools to implement the industry standard SSL. When properly implemented, SSL secures an app’s communications and keeps an attacker from intercepting sensitive personal information consumers submit through the app. However, by disabling SSL, both companies allegedly left their apps vulnerable to “man-in-the-middle” attacks, which allow a third party to intercept any of the information the apps sent or received. The FTC alleged that this type of attack is particularly dangerous on unsecured public Wi-Fi networks, such as at coffee shops, airports and shopping centers, where these apps were commonly used.

The FTC alleged that by overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android exposed consumers’ social security numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.

As alleged in the complaints, the Fandango app assured consumers during checkout that their credit card information was stored and transmitted securely. Similarly, Credit Karma was alleged to have assured its customers that it followed industry-leading security precautions, including the use of SSL to secure customer data. The FTC asserted that both companies failed to perform the basic and widely available security checks that would have caught the problem even though this vulnerability could have easily been tested for and prevented. In essence, the FTC made the argument that reasonable steps could have been effective but weren’t taken.

The lessons from the steady stream of FTC data security and privacy suits are many and  underscore the importance of having IT and legal counsel work together closely. Simply put, setting up corporate data security systems and practices without legal guidance is as sensible as setting up corporate data practices by cutting out the IT staff. The integration of counsel into the setup of data security practices — as well as the on-going review of these practices — provides several critical benefits. First, counsel can serve as an objective sounding board to IT staff tasked with designing, implementing and reviewing data practices. Second, counsel can mediate between business-driven design decisions and IT-driven security concerns, assisting in the balance of power between both sides. Third, counsel can also engage outside consultants to check practices against industry standards, bringing an added level of objectivity, and also protecting the attorney client privilege. Fourth, counsel can also review privacy policies, and test representations made to consumers, and evaluate how outsiders might exploit those representations in court. Finally, counsel can serve a critical role in litigation-testing the “reasonableness” of security practices. After all, the reasonableness of those practices will ultimately be tested not in a board room, but in a courtroom.