Recent Challenges To the FTC's Data Regulation Authority

Just before Thanksgiving, employees at Sony returned to work on a Monday to find a dramatically grotesque and threatening depiction on their computer screens from a group calling itself the “Guardians of Peace.” Among the items leaked during this intrusion were unreleased movies, scripts, employee social security numbers and health information, along with some very embarrassing internal e-mails. See, “Sony Hack: A Timeline,” Deadline.com.

2015: A Worse Year?

Early on in 2015, pundits were already predicting that the extent and number of data breaches from 2014 would severely pale in comparison to those that would occur in 2015. See, “Think 2014 Was Bad for Hacking? Worse Is to Come,” CNBC.com. With a full quarter of the year left to go, the totals may have already set new records with massive data breaches of health care users at Anthem and UCLA, consumers at Carphone Warehouse in the UK, the headline-grabbing hacks of Sony and Ashley Madison, and topped off with the recent catastrophic attack on the federal government's Office of Personnel Management.

The latest report from the Identity Theft Resource Center (ITRC) shows that as of Aug. 18, 505 data breaches were reported, exposing almost 140 million records. (Those numbers do not reflect the Ashley Madison site breach, which is estimated to have personal information on 37 million registered users.)'

Inevitably, people across the country, victims, media, members of government, and even litigious-minded attorneys, are scrambling to determine what legal recourse exists to not only retroactively seek retribution, but also proactively enforce data security methods ' a task that is still at its nascent stages of development.

U.S. Data-Protection Paradigm

Unlike the European Union's or Canada's treatment of data protection, where one set of regulations apply to all industries equally, privacy laws in the United States evolve one industry at a time, and, therefore, do so at different rates of development.

For example, the Payment Card Industry Data Security Standard (PCI DSS) addresses security issues for branded credit and debit cards of the major providers. It lists 12 separate requirements grouped into six different “Control Objectives.”

In the realm of health care information security, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) are specifically applicable to well-defined “Covered Entities” and “Business Associates.” These statutes, and the subsequent regulations that interpret them, set forth explicit specific security actions that are “required” or “addressable.” The latter category of actions are not mandatory, but require the entity to establish reasons why the activity is not feasible to accomplish to be followed by a choice of alternative options that are equally as secure for the patient's protected information possessed by the entity. There also exists a complex four-tiered system of penalties ranging from “unknowing and reasonably not capable of knowing with due diligence” on the low end to “wilful neglect and refusing to correct” on the high end.

FTC Approach

In contrast, the Federal Trade Commission (FTC) utilizes the lesser detailed provisions found in '5 of the FTC Act of 1914, codified in 15 U.S.C. '45, as authority for its participation in regulating data security in a variety of industry and business endeavors. Subsection (a)(1) generically prohibits “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce,” while subsection (a)(2), makes this prohibition broadly applicable to “persons, partnerships, corporations, except banks, [and] savings and loan institutions.”

To date, the FTC has pursued over 50 enforcement actions citing '5 as its authority. Most actions have resulted in consent decrees in which the targeted entity agrees to 20 years of independent auditing to ensure data privacy and security procedures are followed. See, “The Federal Trade Commission's Role in Online Security: Data Protector or Dictator?,” The Heritage Foundation.

It is these data regulatory powers expressed by the FTC that are currently being contested in court by the Wyndham Worldwide Corporation (Wyndham). The Agency sought injunctive and “other equitable relief” against Wyndham for data breaches caused by three of the Corporation's subsidiaries, which it alleged amounted to unfair and deceptive practices.

Specifically, the FTC claimed that between April 2008 and January 2010, similar breaches occurred on three separate occasions over the Wyndham subsidiaries, leading to the hacked acquisition of payment card account numbers, expiration dates and security codes. The FTC alleged that particularly troubling was the fact that Wyndham had become aware of the breaches and methods of attack after the second of these breaches, but still failed to take adequate steps to secure the data under its control to prevent the third breach.

The FTC summarized the harm caused by the breaches, as follows:

The compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit. Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm.

See, p. 17, ' 40 of FTC's Complaint.

Wyndham filed a Motion to Dismiss, arguing three grounds in support. The Motion was decided in the FTC's favor by the District Court for New Jersey. See, FTC v. Wyndham, 10 F. Supp. 3d 602 (D.N.J. 2014). Each of Wyndham's points, accompanied by the court's analysis, will be presented separately below.

Lack of Authority

Wyndham questioned the authority of the FTC to utilize a 1914 statute in making a claim of an unfair practice in dealing with the complex and ever-changing world of data storage, noting this is the first instance when a court has been asked to make such a finding.

The District Court reminded Wyndham that it was not making a final determination on the merits by denying any part of the defendant's motion. The standard of proof at this pleading stage is not the probability of the FTC's success, just the plausibility. Dismissal is only warranted where there is just a mere possibility of success.

In a similar vein, the court noted that it was not saying '5 will apply to all data breaches in the future. It was only ruling that in this case it was plausible that the statute will support the FTC's causes of action.

'Brown & Williamson'

Wyndham attempted to use FDA v. Brown & Williamson Tobacco, 529 U.S. 120 (2000), precedent for its claim of lack of authority, but the District Court distinguished that decision. The U.S. Supreme Court in Brown & Williamson ruled Congress had clearly removed tobacco regulation from the FDA's authority. No such limitation has ever been directed at the FTC.

Wyndham also noted several other federal statutes specifically govern sensitive data security, while the FTC Act, nor subsequent regulations, did not. The District Court ruled that these other regulatory provisions do not contradict the FTC's authority but merely supplement it and further found nothing prohibiting the FTC from extending its reach to data security.

Wyndham further observed that heads of the FTC had publicly acknowledged its authority was limited over certain forms of data breaches, nor had the FTC ever publicly asserted, prior to the institution of this proceeding, that it had authority to regulate the security of sensitive data. (On April 2, 2014, FTC Commissioner Edith Ramirez testified before the Senate Committee on Homeland Security and Governmental Affairs seeking greater authority to regulate data security. See, “Prepared Statement of the Federal Trade Commission on Data Breach on the Rise: Protecting Personal Information from Harm.”) The court found that even if this were true, this was not a limitation toward its attempt of seeking injunctive relief in this case.

Fair Notice

Next, the Defendant argued that without the promulgation of any form of detailed regulations by the FTC, Wyndham did not possess legally required fair notice of what guidelines to follow so as not to commit any unfair practice with respect to its customers' data. Considering the constantly volatile and complex nature of cyberattacks, the complete lack of guidelines denied Wyndham of its constitutional right to such fair notice.

The court disagreed with Wyndham, citing a long line of precedent from previous circuit court decisions approving the FTC's intervention into a variety of other matters in which it had not established detailed regulations in advance. Moreover, by its very nature, FTC Act '5 must be interpreted with great flexibility. Plus, this was clearly Congress' intent in so enacting that provision.

Failure to Sufficiently Allege

The last of Wyndham's defenses was the only one to apply to FTC's allegations of both unfair practices and deceptive practices. Here, it alleged the FTC failed to sufficiently allege a cause of action.

In order to support its unfair practices claim, the court found the FTC had satisfactorily alleged the four necessary elements.

Wyndham cited Reilly v. Ceridian, 664 F.3d 38 (3d Cir. 2011), for the proposition that as long as credit card holders suffer no out-of-pocket losses, the plaintiffs in that case suffered no “injury-in-fact.” Therefore, the plaintiffs had no cause of action. But the court in Wyndham found a distinction here in that the FTC alleged misuse of the victims' data, something that wasn't stated in Reilly.

On the second element, the FTC must plead that the substantial injury was not reasonably avoidable by the victims. Here, the court refused to reach a conclusion based solely on the pleadings of an issue that is so “fact-dependent.”

The third and fourth required elements ' that Wyndham's data-security practices caused the substantial injury and that their practices were not reasonable ' are demonstrated by the same alleged facts. On these points, the evidence appears fairly substantial.

Defendants, among other security deficiencies, allegedly utilized outdated and vulnerable hardware, failed to use complex IDs and password, failed to inventory their computers or know where they were, and failed to use industry-recognized security measures such as the very commonplace use of firewalls and encryption.

Regarding the FTC's deceptive practice claim of action, the court noted the defendant's policy statements on its websites making representations of safeguarding its customers' personally identifiable information and using industry standard practices to do so. Considering the numerous standard security practices the FTC claimed were not followed by Wyndham, the court found this a more than sufficient pleading of deceptive activity.

Third Circuit Affirms

For all these reasons, the District Court denied Wyndham's Motion to Dismiss.

Just as this issue was going to press, the U.S. Court of Appeals for the Third Circuit upheld the District Court's ruling that the FTC's claims against Wyndham should stand. Writing for the Third Circuit, Judge Thomas L. Ambro ruled that Wyndham's claim that conduct is only unfair when it is “unscrupulous” or “unethical,” was not supported by case law. “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” Ambro said.

Ambro also said that Wyndham's claim that the FTC did not provide it with fair noticve as to the cybersecurity standards it was to follow is at odds with its position that the FTC has no clear standards on cybersecurity. See, FTC v. Wyndham, No. 14-3514 (Third Cir. Aug. 25, 2015).

'LabMD v. FTC'

Wyndham is not the only recent litigation to question the FTC's authority to bring a data breach enforcement action. The Agency initiated an administrative proceeding against LabMD, which filed a Motion to Dismiss in the Northern District Court of Georgia. The trial court's decision was recently affirmed by the U.S. Court of Appeals for the Eleventh Circuit. See, LabMD v. Federal Trade Commission, 776 F.3d 1275 (11th Cir. 2015). Both courts ruled that it was improper for LabMD to proceed with a Motion to Dismiss in federal court before the administrative proceedings have concluded.

Conclusion

The litigation in both Wyndham and LabMD may be a long way from done, but one or both have the fascinating potential of setting a major precedent in the manner in which commercial entities in this country must maintain sensitive data protection. This article, unfortunately, is not the best forum to do justice to the complicated issues of policy and procedure, and just plain fairness that have been and will be raised in these two cases. But the litigation ought to be awfully fun to watch.

Stephen Treglia, JD, HCISPP, is the former head of the cybercrime unit at the Nassau County, NY DA's Office, and is currently Legal Counsel and HIPAA Compliance Officer to the Investigation Section at Absolute Software Corporation.

The year 2014 has been described as the “Year of the Breach.” (See the January 2015 Ponemon Institute study titled “2014: A Year of Mega Breaches.” It started out with fallout from the Target breach, which occurred at the end of 2013 and carried over into 2014, affecting 40 million debit and credit cards. This “Point of Sale” attack spread to other retailers such as P.F. Chang's, Neiman-Marcus, Michael's, and Home Depot as the result of malware called “Black POS” allegedly distributed by a couple of teenagers in Russia. See, “Home Depot Hit By Same Malware as Target,” Krebs On Security.

Hacking attacks perpetrated on several financial institutions followed during the summer and fall of last year, along with the largest health care breach of the year occurring in August. See, “Hackers' Attack Cracked 10 Financial Firms in Major Assault,” NY Times Dealbook; “The Big Data Breaches of 2014,” Forbes.

Finally, the year ended with the attack that probably caught the most media coverage in 2014.

Just before Thanksgiving, employees at Sony returned to work on a Monday to find a dramatically grotesque and threatening depiction on their computer screens from a group calling itself the “Guardians of Peace.” Among the items leaked during this intrusion were unreleased movies, scripts, employee social security numbers and health information, along with some very embarrassing internal e-mails. See, “Sony Hack: A Timeline,” Deadline.com.

2015: A Worse Year?

Early on in 2015, pundits were already predicting that the extent and number of data breaches from 2014 would severely pale in comparison to those that would occur in 2015. See, “Think 2014 Was Bad for Hacking? Worse Is to Come,” CNBC.com. With a full quarter of the year left to go, the totals may have already set new records with massive data breaches of health care users at Anthem and UCLA, consumers at Carphone Warehouse in the UK, the headline-grabbing hacks of Sony and Ashley Madison, and topped off with the recent catastrophic attack on the federal government's Office of Personnel Management.

The latest report from the Identity Theft Resource Center (ITRC) shows that as of Aug. 18, 505 data breaches were reported, exposing almost 140 million records. (Those numbers do not reflect the Ashley Madison site breach, which is estimated to have personal information on 37 million registered users.)'

Inevitably, people across the country, victims, media, members of government, and even litigious-minded attorneys, are scrambling to determine what legal recourse exists to not only retroactively seek retribution, but also proactively enforce data security methods ' a task that is still at its nascent stages of development.

U.S. Data-Protection Paradigm

Unlike the European Union's or Canada's treatment of data protection, where one set of regulations apply to all industries equally, privacy laws in the United States evolve one industry at a time, and, therefore, do so at different rates of development.

For example, the Payment Card Industry Data Security Standard (PCI DSS) addresses security issues for branded credit and debit cards of the major providers. It lists 12 separate requirements grouped into six different “Control Objectives.”

In the realm of health care information security, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) are specifically applicable to well-defined “Covered Entities” and “Business Associates.” These statutes, and the subsequent regulations that interpret them, set forth explicit specific security actions that are “required” or “addressable.” The latter category of actions are not mandatory, but require the entity to establish reasons why the activity is not feasible to accomplish to be followed by a choice of alternative options that are equally as secure for the patient's protected information possessed by the entity. There also exists a complex four-tiered system of penalties ranging from “unknowing and reasonably not capable of knowing with due diligence” on the low end to “wilful neglect and refusing to correct” on the high end.

FTC Approach

In contrast, the Federal Trade Commission (FTC) utilizes the lesser detailed provisions found in '5 of the FTC Act of 1914, codified in 15 U.S.C. '45, as authority for its participation in regulating data security in a variety of industry and business endeavors. Subsection (a)(1) generically prohibits “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce,” while subsection (a)(2), makes this prohibition broadly applicable to “persons, partnerships, corporations, except banks, [and] savings and loan institutions.”

To date, the FTC has pursued over 50 enforcement actions citing '5 as its authority. Most actions have resulted in consent decrees in which the targeted entity agrees to 20 years of independent auditing to ensure data privacy and security procedures are followed. See, “The Federal Trade Commission's Role in Online Security: Data Protector or Dictator?,” The Heritage Foundation.

It is these data regulatory powers expressed by the FTC that are currently being contested in court by the Wyndham Worldwide Corporation (Wyndham). The Agency sought injunctive and “other equitable relief” against Wyndham for data breaches caused by three of the Corporation's subsidiaries, which it alleged amounted to unfair and deceptive practices.

Specifically, the FTC claimed that between April 2008 and January 2010, similar breaches occurred on three separate occasions over the Wyndham subsidiaries, leading to the hacked acquisition of payment card account numbers, expiration dates and security codes. The FTC alleged that particularly troubling was the fact that Wyndham had become aware of the breaches and methods of attack after the second of these breaches, but still failed to take adequate steps to secure the data under its control to prevent the third breach.

The FTC summarized the harm caused by the breaches, as follows:

The compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit. Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm.

See, p. 17, ' 40 of FTC's Complaint.

Wyndham filed a Motion to Dismiss, arguing three grounds in support. The Motion was decided in the FTC's favor by the District Court for New Jersey. See, FTC v. Wyndham, 10 F. Supp. 3d 602 (D.N.J. 2014). Each of Wyndham's points, accompanied by the court's analysis, will be presented separately below.

Lack of Authority

Wyndham questioned the authority of the FTC to utilize a 1914 statute in making a claim of an unfair practice in dealing with the complex and ever-changing world of data storage, noting this is the first instance when a court has been asked to make such a finding.

The District Court reminded Wyndham that it was not making a final determination on the merits by denying any part of the defendant's motion. The standard of proof at this pleading stage is not the probability of the FTC's success, just the plausibility. Dismissal is only warranted where there is just a mere possibility of success.

In a similar vein, the court noted that it was not saying '5 will apply to all data breaches in the future. It was only ruling that in this case it was plausible that the statute will support the FTC's causes of action.

'Brown & Williamson'

Wyndham attempted to use FDA v. Brown & Williamson Tobacco, 529 U.S. 120 (2000), precedent for its claim of lack of authority, but the District Court distinguished that decision. The U.S. Supreme Court in Brown & Williamson ruled Congress had clearly removed tobacco regulation from the FDA's authority. No such limitation has ever been directed at the FTC.

Wyndham also noted several other federal statutes specifically govern sensitive data security, while the FTC Act, nor subsequent regulations, did not. The District Court ruled that these other regulatory provisions do not contradict the FTC's authority but merely supplement it and further found nothing prohibiting the FTC from extending its reach to data security.

Wyndham further observed that heads of the FTC had publicly acknowledged its authority was limited over certain forms of data breaches, nor had the FTC ever publicly asserted, prior to the institution of this proceeding, that it had authority to regulate the security of sensitive data. (On April 2, 2014, FTC Commissioner Edith Ramirez testified before the Senate Committee on Homeland Security and Governmental Affairs seeking greater authority to regulate data security. See, “Prepared Statement of the Federal Trade Commission on Data Breach on the Rise: Protecting Personal Information from Harm.”) The court found that even if this were true, this was not a limitation toward its attempt of seeking injunctive relief in this case.

Fair Notice

Next, the Defendant argued that without the promulgation of any form of detailed regulations by the FTC, Wyndham did not possess legally required fair notice of what guidelines to follow so as not to commit any unfair practice with respect to its customers' data. Considering the constantly volatile and complex nature of cyberattacks, the complete lack of guidelines denied Wyndham of its constitutional right to such fair notice.

The court disagreed with Wyndham, citing a long line of precedent from previous circuit court decisions approving the FTC's intervention into a variety of other matters in which it had not established detailed regulations in advance. Moreover, by its very nature, FTC Act '5 must be interpreted with great flexibility. Plus, this was clearly Congress' intent in so enacting that provision.

Failure to Sufficiently Allege

The last of Wyndham's defenses was the only one to apply to FTC's allegations of both unfair practices and deceptive practices. Here, it alleged the FTC failed to sufficiently allege a cause of action.

In order to support its unfair practices claim, the court found the FTC had satisfactorily alleged the four necessary elements.

Wyndham cited Reilly v. Ceridian, 664 F.3d 38 (3d Cir. 2011), for the proposition that as long as credit card holders suffer no out-of-pocket losses, the plaintiffs in that case suffered no “injury-in-fact.” Therefore, the plaintiffs had no cause of action. But the court in Wyndham found a distinction here in that the FTC alleged misuse of the victims' data, something that wasn't stated in Reilly.

On the second element, the FTC must plead that the substantial injury was not reasonably avoidable by the victims. Here, the court refused to reach a conclusion based solely on the pleadings of an issue that is so “fact-dependent.”

The third and fourth required elements ' that Wyndham's data-security practices caused the substantial injury and that their practices were not reasonable ' are demonstrated by the same alleged facts. On these points, the evidence appears fairly substantial.

Defendants, among other security deficiencies, allegedly utilized outdated and vulnerable hardware, failed to use complex IDs and password, failed to inventory their computers or know where they were, and failed to use industry-recognized security measures such as the very commonplace use of firewalls and encryption.

Regarding the FTC's deceptive practice claim of action, the court noted the defendant's policy statements on its websites making representations of safeguarding its customers' personally identifiable information and using industry standard practices to do so. Considering the numerous standard security practices the FTC claimed were not followed by Wyndham, the court found this a more than sufficient pleading of deceptive activity.

Third Circuit Affirms

For all these reasons, the District Court denied Wyndham's Motion to Dismiss.

Just as this issue was going to press, the U.S. Court of Appeals for the Third Circuit upheld the District Court's ruling that the FTC's claims against Wyndham should stand. Writing for the Third Circuit, Judge Thomas L. Ambro ruled that Wyndham's claim that conduct is only unfair when it is “unscrupulous” or “unethical,” was not supported by case law. “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” Ambro said.

Ambro also said that Wyndham's claim that the FTC did not provide it with fair noticve as to the cybersecurity standards it was to follow is at odds with its position that the FTC has no clear standards on cybersecurity. See, FTC v. Wyndham, No. 14-3514 (Third Cir. Aug. 25, 2015).

'LabMD v. FTC'

Wyndham is not the only recent litigation to question the FTC's authority to bring a data breach enforcement action. The Agency initiated an administrative proceeding against LabMD, which filed a Motion to Dismiss in the Northern District Court of Georgia. The trial court's decision was recently affirmed by the U.S. Court of Appeals for the Eleventh Circuit. See, LabMD v. Federal Trade Commission, 776 F.3d 1275 (11th Cir. 2015). Both courts ruled that it was improper for LabMD to proceed with a Motion to Dismiss in federal court before the administrative proceedings have concluded.

Conclusion

The litigation in both Wyndham and LabMD may be a long way from done, but one or both have the fascinating potential of setting a major precedent in the manner in which commercial entities in this country must maintain sensitive data protection. This article, unfortunately, is not the best forum to do justice to the complicated issues of policy and procedure, and just plain fairness that have been and will be raised in these two cases. But the litigation ought to be awfully fun to watch.

Stephen Treglia, JD, HCISPP, is the former head of the cybercrime unit at the Nassau County, NY DA's Office, and is currently Legal Counsel and HIPAA Compliance Officer to the Investigation Section at Absolute Software Corporation.