Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

e-Commerce Law & StrategyFeaturesKickerLJN NewslettersNewsRegulationSectionsTechnology Media and TelecomTopics

<b><i>Online Extra:</b></i> FTC Sued Over Refusal to Disclose Data Security Policies

By Jenna Greene
May 28, 2015

'

The Federal Trade Commission (FTC) was sued last month for refusing to turn over information about how the agency decides to bring data security cases.

The Freedom of Information Act suit by Philip Reitinger, a former Department of Homeland Security official who is now president of a cybersecurity company, comes as the FTC'defends its role as data security cop'in two ongoing cases.

'The FTC's data security activity has increased in recent years and is likely to continue to do so,' wrote Reitinger's lawyers, Steptoe & Johnson LLP partners Michael Baratz and Stewart Baker,'in the complaint. 'In light of this increased activity, it is important for the public, including entities subject to the FTC's data and cybersecurity enforcement, to understand the FTC's expectations for data security practices and the reasoning for its actions.'

Baker declined to comment, saying that 'the complaint speaks for itself.' A Federal Trade Commission spokesman did not immediately respond to a request for comment.

Reitinger sued after the FTC refused to share any nonpublic information about its policies for data and cybersecurity enforcement.

Such questions are central in a pending case in the U.S. Court of Appeals for the Third Circuit that'involves Wyndham Hotels and Resorts, and in an ongoing administrative trial against medical testing company LabMD Inc. The FTC sued both companies for alleged data security breaches.

'The FTC has not given notice of what cybersecurity practices are 'unreasonable,' ' wrote Wyndham counsel Eugene Assaf, a partner at Kirkland & Ellis, in a March 27 brief in the Third Circuit. Wyndham says it was the victim of an attack by Russian criminal hackers, and that the FTC is pursuing a 'novel and legally untenable theory that Wyndham committed an 'unfair' trade practice.'

LabMD president and CEO Michael Daugherty said in an email to the NLJ on Thursday that 'If businesses don't know what the law requires they can't comply.'

Daugherty said the FOIA suit 'strikes directly to the heart of the matter in LabMD's battle with the FTC. It must be unconstitutional for a government agency to refuse to disclose what standards and rules apply to a statute.'

The FTC has not proposed any rules laying out data security standards, though it has issued guidance. During oral argument in the Wyndham case, agency lawyers said rulemaking is impossible because cybersecurity is 'one of the fastest changing areas of technology.'

In refusing Reitinger's request for internal documents about data security enforcement, the FTC claimed FOIA exemption 5, asserting that all the material is protected by the 'deliberative-process privilege.' It also said that FOIA Exemption 7(E) applied, alleging that the documents are also law enforcement guidelines, and that their disclosure could 'reasonably be expected to risk circumvention of the law.'

So how is a company supposed to know what data security practices could get it in trouble? In the Wyndham and LabMD litigation, FTC lawyers said companies should look at the more than 50 data security lawsuits the agency has filed.

Those complaints 'are akin to policy statements or interpretive rulings, which, though not binding, 'reflect a body of experience and informed judgment to which courts and litigants may properly resort for guidance,'the FTC said'in court papers.

Companies that have settled FTC charges for data security lapses include Snapchat Inc., Fandango LLC, HTC America, Twitter Inc. and Rite Aid Corp.

'

Jenna Greene'writes for'The National law Journal, and ALM sibling of'e-Commerce Law & Strategy. She can be reached at'[email protected]'or on Twitter'@JgreeneJenna.

'

The Federal Trade Commission (FTC) was sued last month for refusing to turn over information about how the agency decides to bring data security cases.

The Freedom of Information Act suit by Philip Reitinger, a former Department of Homeland Security official who is now president of a cybersecurity company, comes as the FTC'defends its role as data security cop'in two ongoing cases.

'The FTC's data security activity has increased in recent years and is likely to continue to do so,' wrote Reitinger's lawyers, Steptoe & Johnson LLP partners Michael Baratz and Stewart Baker,'in the complaint. 'In light of this increased activity, it is important for the public, including entities subject to the FTC's data and cybersecurity enforcement, to understand the FTC's expectations for data security practices and the reasoning for its actions.'

Baker declined to comment, saying that 'the complaint speaks for itself.' A Federal Trade Commission spokesman did not immediately respond to a request for comment.

Reitinger sued after the FTC refused to share any nonpublic information about its policies for data and cybersecurity enforcement.

Such questions are central in a pending case in the U.S. Court of Appeals for the Third Circuit that'involves Wyndham Hotels and Resorts, and in an ongoing administrative trial against medical testing company LabMD Inc. The FTC sued both companies for alleged data security breaches.

'The FTC has not given notice of what cybersecurity practices are 'unreasonable,' ' wrote Wyndham counsel Eugene Assaf, a partner at Kirkland & Ellis, in a March 27 brief in the Third Circuit. Wyndham says it was the victim of an attack by Russian criminal hackers, and that the FTC is pursuing a 'novel and legally untenable theory that Wyndham committed an 'unfair' trade practice.'

LabMD president and CEO Michael Daugherty said in an email to the NLJ on Thursday that 'If businesses don't know what the law requires they can't comply.'

Daugherty said the FOIA suit 'strikes directly to the heart of the matter in LabMD's battle with the FTC. It must be unconstitutional for a government agency to refuse to disclose what standards and rules apply to a statute.'

The FTC has not proposed any rules laying out data security standards, though it has issued guidance. During oral argument in the Wyndham case, agency lawyers said rulemaking is impossible because cybersecurity is 'one of the fastest changing areas of technology.'

In refusing Reitinger's request for internal documents about data security enforcement, the FTC claimed FOIA exemption 5, asserting that all the material is protected by the 'deliberative-process privilege.' It also said that FOIA Exemption 7(E) applied, alleging that the documents are also law enforcement guidelines, and that their disclosure could 'reasonably be expected to risk circumvention of the law.'

So how is a company supposed to know what data security practices could get it in trouble? In the Wyndham and LabMD litigation, FTC lawyers said companies should look at the more than 50 data security lawsuits the agency has filed.

Those complaints 'are akin to policy statements or interpretive rulings, which, though not binding, 'reflect a body of experience and informed judgment to which courts and litigants may properly resort for guidance,'the FTC said'in court papers.

Companies that have settled FTC charges for data security lapses include Snapchat Inc., Fandango LLC, HTC America, Twitter Inc. and Rite Aid Corp.

'

Jenna Greene'writes for'The National law Journal, and ALM sibling of'e-Commerce Law & Strategy. She can be reached at'[email protected]'or on Twitter'@JgreeneJenna.

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.