Author: Leanthony Edwards Jr., Associate Member, University of Cincinnati Law Review
Throughout the past few years, data privacy and cybersecurity have become hot topics within the U.S. legal system and the media. Last year, prominent U.S. corporations like Sony and Home Depot suffered major data breaches that caused significant financial and reputational harm for both the companies and consumers. In response to the increase in massive data breaches, President Obama featured cyber security issues prominently in the State of the Union address.[1] Although getting data security on the national agenda was an important breakthrough, the U.S. may suffer in the near future as a result of Congress’s failure to allocate appropriate resources toward devising a legitimate data security strategy. With dubious legislative authority, the Federal Trade Commission (FTC) has ordained itself the regulatory authority responsible for policing data security policies within the United States. This article highlights two lawsuits brought by the FTC that depict this most recent power grab and illustrate why the FTC’s assumption of this data security role is troublesome.
FTC v. Wyndham Worldwide Corp.
In FTC v. Wyndham Worldwide Corp., the FTC brought an action against Wyndham Worldwide Corp. (Wyndham) for violating § 5(a) of the FTC Act (the Act).[2] Wyndham franchises and manages hotels and sells timeshares through subsidiaries and was responsible for developing information security policies for itself and its subsidiaries.[3] The hotel conglomerate also retained oversight over the information security program of the independently owned entities it licensed its name to under the franchising agreements.[4] The FTC claimed that since April 2008, Wyndham “failed to provide reasonable and appropriate security for the personal information collected and maintained [by Wyndham, its subsidiaries, and licensees].”[5] The FTC attributed Wyndham’s failure to unreasonable security practices, and alleged that this led to the unauthorized access to their network by intruders on three separate occasions.[6] The FTC alleged that the intruders used similar practices in each invasion and that Wyndham failed to adequately adjust its policies to prevent further compromises of consumer data.[7] The breaches led to more than $10.6 million in losses from credit card fraud.[8] The FTC claimed that these events illustrated the existence of an unfair data privacy practice. Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s motion to dismiss last July. In doing so, the court held that the FTC did not need express authority from Congress to regulate data security under the FTC Act, and that the FTC did not have to create prior data security regulations in order to police data security. The Third Circuit will hear Wyndham’s appeal in early 2015.[9]
LabMD v. FTC
LabMD, a small laboratory providing cancer-detection services, first fell under the FTC’s scrutiny in January of 2010.[10] In LabMD v. FTC, administrative law judge D. Michael Chappell has been charged with determining the scope of the FTC’s regulatory authority concerning data security policies, as well as its ability to wield that authority on healthcare companies that are governed by other established federal privacy law like the Health Insurance Portability and Accountability Act (HIPAA).[11] The FTC claims that it began investigating LabMD because sensitive information under LabMD’s control was divulged by way of a publicly accessible peer-to-peer file-sharing network in 2008.[12] Nearly four years after the investigation began, the FTC initiated administrative proceedings against LabMD using its § 5 power under the FTC Act, claiming that LabMD’s data security policies amounted to an unfair trade practice.[13] In response to the proceedings, LabMD moved the Administrative Commission of the FTC to dismiss the complaint, citing to § 45(a)(1) of the FTC Act and Scientific Manufacturing. Co. v. FTC, arguing that the FTC lacked statutory authority to regulate data security.[14] LabMD also alleged that the FTC violated the Due Process Clause of the Fourteenth Amendment by failing to give notice of what “unfairness” means with regard to data privacy.[15] The Commissioner denied the motion, prompting LabMD to appeal to the Eleventh Circuit, which barred review until the agency took a more final position.[16] The administrative proceedings are pending, with a final decision expected in 2015.[17]
The FTC Act: Standards for Unfairness
Section 5(a) of the Act gives the FTC authority to regulate “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce . . . .”[18] Due to the rather vague nature of the language used, § 5(a) has led to much litigation. Courts have developed three factors to help determine if a practice is truly unfair: (1) whether the practice injures consumers, (2) whether it violates established public policy, and (3) whether it is unethical or unscrupulous.[19]
A breach of a company’s data security does not necessarily amount to that company engaging in an “unfair practice” per se under these factors, thus making the FTC’s authority here questionable at best. Looking to the first factor, although it is apparent that data breaches injure consumers, this injury is not readily traceable back to the companies. The hacking of encrypted servers and retrieval of consumer information is a criminal act perpetrated on the company, not by the company. Such criminal attacks have been carried out against the U.S. government, yet the government has not been accused of “unfair” or “deceptive” acts for failing to prevent these attacks. Furthermore, becoming the victim of a crime has little to do with public policy, rendering the second factor moot in this case. For these reasons, these practices are neither unethical nor unscrupulous as the third factor requires.
In Regulating Data Protection Policies, the FTC Has Exceeded the Scope of the FTC Act
Although Wyndham and LabMD have not been settled, it is likely that Wyndham and LabMD’s complaints about the FTC’s authority will be fruitless. Pundits have already declared that the FTC’s authority to regulate data security has been affirmed, due to the prevalent belief that the appeals process in these cases is predicted to result in a similar ruling.[20] However, a decision that affirms the FTC’s data security authority would likely be wrongly decided. Subsequent decisions should look to curtail and further delineate FTC authority.
The FTC’s assumption of the role of “data security enforcer” has caused the FTC to exceed its proscribed authority as well as its stated purpose. Historically, the FTC’s primary purpose was preventing and dissolving trusts and monopolies.[21] The legislative history of the FTC Act explains that Congress wanted to allow the FTC to “outlaw exclusionary practices, but not exploitative practices.”[22] Furthermore, Congress designed § 5 of the Act in order “to protect competition, not individual competitors,” and it “proscribes only practices that exclude equally efficient competitors.”[23] Thus, data security regulation and investigation is unrelated to the FTC’s original purpose. The unfortunate consequence of the FTC seizing these additional regulatory “duties” by way of the broad language of § 5 of the FTC Act is that its original and intended duties, as well as its assumed data security duties, will suffer for lack of resources because both are exacting undertakings.
The appropriate response to the FTC assuming data security monitoring duties is for courts to remind the FTC of the folly of its overreach in the 1970s and 80s. As a result of its Consumer Protection Program, the FTC was nationally maligned and nearly forced to dissolve.[24] During this time, federal courts overturned many of the FTC’s determinations of “unfair” trade practices.[25] The backlash was largely a result of the agency getting away from its anti-trust function in pursuing stand-alone § 5 actions untethered to the Sherman Act.[26] In a last ditch effort to save itself, the agency enacted principles that would guide its challenges of unfair or deceptive practices.[27] Revisiting this period in the Commission’s history reveals that the FTC’s power is more limited than many (including the Commission itself) believe. This history also reveals that once the pendulum of authority swings too far in one direction, it swings back hard in the other. Even if the FTC is acting nobly in its attempt to protect consumers by urging companies to develop better data privacy policies, the fact remains that the agency is going beyond its stated purpose in doing so. If this overreach does not cease, it is possible the public may begin to push back, urging Congress to curtail FTC authority or eliminate it altogether.
Although Data Security Is a Legitimate Government Concern, It Is Unclear Who Should Be the Primary Regulator
With data security finally getting the national attention it deserves, advancements in protecting consumer information should follow. However, allowing the FTC to assume the role of national data security enforcer is problematic because the FTC’s legislative authority to do so is tenable at best. The repercussions stemming from the FTC using its stand-alone § 5 authority to regulate data security include the possibility of limitless FTC authority far beyond its power under the FTC Act. Furthermore, by claiming that companies are operating in an “unfair” manner when they are essentially the victims of predatory hacking, the FTC is taking a misguided “blame the victim not the attacker” approach that does not sufficiently address the issue. Although something definitely needs to be done to protect consumer information, it is doubtful that the FTC is the right entity to do so. A better alternative to the FTC policing data policies would be to offer additional remedies to injured parties against a company that experienced a data breach, thus establishing regulations and remedies independent of the FTC and the government.
[1] President Barack Obama, State of The Union Address (Jan. 27, 2015), available at http://www.whitehouse.gov/the-press-office/2015/01/20/excerpts-president-s-state-union-address.
[2] FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 U.S. Dist. LEXIS 84913 (D.N.J. June 23, 2014). Section 5 provides: “The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”
[3] Id. at 3.
[4] Id.
[5] Id. at 5.
[6] Id.
[7] Id. at 5-6.
[8] Third Circuit Gives Green Light to Review of Wyndham Hotels Data Secuirity Ruling, Bloomberg BNA, http://www.bna.com/third-circuit-gives-n17179893232/ (last visited Mar. 3, 2015).
[9] Allison Grande, Privacy Cases to Watch In 2015, Law 360 (Jan. 2, 2015, 3:26 PM), http://www.law360.com/articles/605174/privacy-cases-to-watch-in-2015.
[10] LabMD, Inc. v. FTC, 2014 U.S. Dist. LEXIS 65090 (N.D. Ga. May 12, 2014).
[11] Id.
[12] Id. at 2; Marianne McGee, FTC v. LabMD: The Next Battle Begins, Data Breach Today (May 19, 2014), http://www.databreachtoday.com/ftc-vs-labmd-next-battle-begins-a-6852/p-2. Peer-to-peer technology enables computers, using similar programs/technology, to create a network and digitally share files with other computers that are connected to the network. Basically, anyone can be connected to the network by simply downloading the software. See Federal Trade Commission, Peer-to-Peer File Sharing: A Guide for Business, available at http://www.ftc.gov/tips-advice/business-center/guidance/peer-peer-file-sharing-guide-business.
[13] LabMD, 2014 U.S. Dist. LEXIS 65090.
[14] Respondent LabMD Inc.’s Motion to Dismiss Complaint with Prejudice and to Stay Administrative Proceedings at 9-28 LabMD v. FTC (2013) (No. 9357); 15 U.S.C. §45(a)(1); Scientific Mfg. Co. v. FTC, 124 F.2d 640, 644 (3d Cir. 1941).
[15] Id..
[16] FTC’s Hammer Gets Bigger with LabMD Case–Federal Trade Commission. The national law review, (Jan. 26, 2015), http://www.natlawreview.com/article/ftc-s-hammer-gets-bigger-labmd-case-federal-trade-commission
[17] See note 10.
[18] 15 U.S.C. § 45 (2015).
[19] FTC Policy Statements on Unfairness, http://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness (last visited Mar. 3, 2015).
[20] Daniel Solve & Woodrow Hartzog, Should The FTC Be Regulating Privacy and Data Security?, Teach Privacy (Nov. 14, 2014), https://www.teachprivacy.com/ftc-regulating-privacy-data-security/ (Explaining FTC’s primary role in data security regulation is allowed under its broad powers).
[21] Marc Davis, History of the U.S. Federal Trade Commission, Investopedia, http://www.investopedia.com/articles/financial-theory/10/the-us-federal-trade-commission.asp (last visited Mar. 3, 2015).
[22] William Kolasky, “Unfair Methods of Competition”: The Legislative Intent Underlying Section 5 of The FTC ACT, Washington, Legal Foundation Critical Legal Issues Working Paper Series Number 189 December 2014, available at http://www.wlf.org/upload/legalstudies/workingpaper/KolaskyFinalWP.pdf
[23] Id.
[24] James Cooper, James Cooper On The Limits Of Section 5’s Scope Beyond The Sherman Act, Truth on the Market (Aug. 1, 2013), http://truthonthemarket.com/2013/08/01/james-cooper-on-the-proper-limits-of-section-5s-scope/ (Highlighting the fact that the FTC earned the moniker the “National Nanny”).
[25] Amy Marshak, The Federal Trade Commission On The Frontier: Suggestions For the Use of Section 5, 86 N.Y.U.L Rev. at 1133.
[26] Id.
[27] See supra, note 24.
