Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming… Has Congress really given the FTC Authority? As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of (1) an agency’s choice between rulemaking and adjudication versus (2) a Congress’ deliberate withholding of authority from the Commission, with some very narrow exceptions. In the 1970s, the FTC aggressively enforced its Section 5 authority, almost without limit; but these efforts were subject to significant criticism from many quarters: The scholarly criticism tended to focus on the Commission’s failure to apply its unfairness criteria consistently and systematically rather than on inherent faults in the criteria. In connection with the Commission’s adjudicatory activities, it was criticized for following a “shifting course” that seemed “characterized by its efforts to test the outer limits of its [unfairness] jurisdiction in an essentially ad hoc manner,” and “utilizing multiple theories, sometimes in a single proceeding.” See David L. Belt, “Should The FTC’s Current Criteria for Determining “Unfair Acts or Practices” Be Applied to State “Little FTC Acts?” (citing David A. Rice, Consumer Unfairness at the FTC: Misadventures in Law and Economics, 52 GEO. WASH. L. REV. 1, 26 (1984)). There are aspects to the FTC’s current activities that (somewhat unsettlingly) echo its prior attempts to test the limits of its powers. Ultimately, concerns over inconsistency led to an FTC policy statement that served as a self-imposed constraint on the agency’s powers. This policy statement was later codified in amendments to the FTC Act in 1994, resulting in Section 5(n), which limits the FTC’s authority to find practices “unfair” to those that cause or are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Arguably, this was a significant narrowing of the FTC’s powers, first as a result of the agency’s own voluntary statements, and then by Congress expressly legislating that the agency has “no authority” to regulate outside the stated parameters. This history provides an interesting backdrop for Judge Salas’ unfairness decision. Wyndham pointed to a number of public statements made by the FTC between 1998 and 2001—one of which was by the FTC Chairman before a Congressional committee, and one of which was in published guidance—in which the FTC stated that it did not have the power to generally enforce data security lapses under the unfairness prong. See Consumer Privacy on the World Wide Web, Hearing before H. Comm. on Commerce, Subcomm. on Telecomm., 105th Cong., at n.23 (July 21, 1998) (Chairman Robert Pitofsky stating that its authority was “limited in this context to ensuring that Web sites follow their stated information practices”); FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 33-34 (2000) (“As a general matter, however, the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites”). For those who have followed the agency in the ensuing years, it was abundantly clear that the FTC did in fact take this stated position. Yet Judge Salas “was not convinced” that these statements added up to the type of unequivocal disavowals of authority that the FDA had given with respect to cigarette regulation, as addressed in Brown v. Williamson. One wonders what she would have made of the policy statement by the FTC in the 1980s self-imposing the limitations later codified in Section 5(n); perhaps it was the lack of “ratification” by Congress of the data security disavowals that troubled her, although the decision does not say so. Judge Salas did cite the fact that the FTC seemed to have reversed its position in subsequent years, suggesting that an agency should not be locked into its initial statutory interpretation, and pointing to a statement to that effect by the Supreme Court in Brown v. Williamson. The Supreme Court, though, made this statement in a somewhat different context. The Court stated that the significance of the FDA’s consistent disavowal of authority over tobacco, for many years, was that it provided a framework against which Congress’ multiple tobacco-specific legislative enactments could be interpreted. While the FDA had shifted its position after many years and had begun asking Congress for authority to regulate tobacco, Congress instead passed multiple laws directly addressing the problem of tobacco use and human health. The Supreme Court believed that this refusal to grant the FDA the requested authority, while at the same time passing laws creating its own legislative scheme, meant that Congress “understood that the FDA is without jurisdiction to regulate tobacco products and ratified that position.” Here, too, the FTC had asked Congress to grant it the broad authority over data security which the agency did not believe it possessed under Section 5. The key difference is that when Congress then passed laws touching on data security with this backdrop of disavowals in place, in several instances Congress granted the FTC the authority to act within certain narrow areas. While Judge Salas interpreted Brown v. Williamson as requiring the agency’s assertion of authority to directly contradict Congress’ intent as expressed in recent statutes, there is no principled reason why granting an agency some aspects of the authority it seeks in specific areas, as opposed to refusing to grant the agency any new authority, points to a different idea on the part of Congress as to the agency’s existing scope of authority. Both can be consistent with an agency not having power to operate in the area. Indeed, Wyndham made a compelling argument that the new grants of power by Congress in the statutes that addressed data security would in fact be superfluous if the FTC already held the necessary authority, an argument Judge Salas waved away by pointing to the fact that to some extent the statutes were not merely superfluous because they provided for different standards of injury in certain cases (leaving unanswered the fact that in other respects the statutes were superfluous if the FTC already had the requisite powers). Given these infirmities in the district court’s decision, there is certainly room for another district court (or any Circuit Court) to find differently as to the scope of the FTC’s unfairness authority. While agencies may be free to alter their interpretation of statutes over time, another court initially or on further review may find that where an agency disavows a particular type of authority, then petitions Congress to acquire it, and then when rejected by Congress simply ignores its lack of authority and begins bringing enforcement actions, this is nothing more than a naked power grab by the agency. But, the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming. Like it or not, “non-regulated” businesses are likely already subject to certain data security standards. Multiple statutes and regulations embody requirements to reasonably protect certain information, At the federal level, there is the E-SIGN Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, and the Children’s Online Privacy Protection Act, just to name a few. At the State level, we have breach notification laws in 47 states and actual encryption requirements for certain data elements in a growing number (see the recently introduced payment-related security legislation in California). In the global context, the EU Data Protection Directive requires the implementation of appropriate security measures for the protection of personal information. In addition, there are often contractual obligations, such as the Payment Card Industry Data Security Standard, and “self-regulatory” standards, such as those found in the DAA’s self-regulatory principles. And now, as cyber and breach insurance policies are becoming more in-demand, insurance companies are requiring representations about their insured’s data security practices. But most often, there are just the plain old promises that companies make in their privacy policies. What should businesses do in light of this new reality? We’ve already covered the fact that this is an order by a single federal district court judge on a motion to dismiss—it is nothing more than preliminary. Further, the FTC has said that it is not trying to apply anything beyond “reasonable,” as tailored to the hospitality industry and the risk of harm. But what is “reasonable”? Can a pamphlet on the FTC’s website create the standard of “reasonableness”? Or are companies obligated to follow every FTC enforcement action and consent decree, compile a database of the outcomes and then constantly tweak their business practices based on the latest outcome? We will have to wait for some time to get a final disposition in this case, but in the meantime, here are some practical tips: Assess Risk In this environment of uncertainty, it is worth asking yourself and others in your company just how well you secure data. All departments need to partner with other groups in the organization who collect, access, store or use consumer data (that’s customer, potential customers, visitors and employee information). What is “reasonable” will depend on the company’s size, business and technological capabilities as well as the nature and amount of information it collects. Periodic risk assessments are already required by some security programs, such as the PCI Data Security Standards. There are several risk models that can be employed, but you should start by identifying the threats to your business and your data. You can start by asking:

• Who is responsible for your organization’s security program?
• Have you identified your data assets and determined the need for protection as a result of legal requirements and business need?
• Do you run background checks on personnel who handle protected data?
• Do you have the paper trail of NDAs, records of access, retention policies and internal audits?
• Do you go beyond paper policies and train personnel who handle protected data? Do you periodically refresh and reinforce that training (e.g. implementing “pop-quizzes” or internal “spear-phishing” attempts)?
• Do you physically secure your computers and servers against unauthorized physical access?
• Do you have a system for alarms or shutdowns in the event of apparent unauthorized access?
• Do you restrict access to protected information to need-to-know personnel?
• Do you have a method to audit all those in your organization who access, store, or retrieve personal data?
• Do you secure networked workstations and other devices with firewalls, password policies, and centralized patch management?
• Do you secure your network perimeter, limit remote access and maintain intrusion detection and response systems? Do you review the logs, monitor alarms, and respond accordingly?
• Do you protect data at rest and in transit?
• Do you have policies, procedures, and teams in place to respond immediately to breach?
• Do you have contracts in place that commit service providers, vendors and other counterparties to security, limited data uses, audit and breach response, and indemnity?

Mind the Gaps Once you have made your assessment, be prepared to remediate policies and processes that may expose your company to security threats. Common remediation activities include:

• Assign responsibility for the security function. Cross-functional “committees” are great for consensus and buy-in, but know the one person or office that is going to be ultimately responsible (and accountable) for implementation and maintenance of your security program.
• Data loss prevention (DLP) tools can help block employees and others from ex-filtrating confidential data.
• Employee training can help stop unintentional disclosures.
• Encrypt sensitive data
• Implement administrative, physical and technical safeguards no less rigorous than those required by industry standards, such as
  • ISO-IEC 27001:2005 and ISO-IEC 27002:2005
  • The HIPAA Security Rule (if applicable)
  • PCI DSS 3.0 for payment card data; and
  • GLB requirements for federally regulated financial entities.

Audit Data security is not a one-time, fix-it and move on initiative. Threats change and so will your security needs. Similarly, as people change within the organization, processes can be disrupted, altered or altogether forgotten. Once a security program is established, organizations should audit their policies against the ongoing practices. Did the software get the patches? Was Tom’s access removed when he left the company? You must be vigilant in monitoring your program—the hackers certainly will be. And even though you will be the victim, in regulators’ and plaintiffs’ eyes, you may also be blamed.