10 Lessons from FTC Guidance on Data Security

Enter the FTC

Companies that experience a data breach of some sort can expect to hear from the Federal Trade Commission (FTC) shortly following the breach becoming public. The agency has brought over 100 privacy and data security cases under its broad jurisdiction authority pursuant to Section 5 of the FTC Act (15 U.S.C. '45), which empowers it to investigate and halt unfair and deceptive acts and practices in commerce.

The FTC's privacy enforcement docket has historically involved companies that failed to abide by their posted privacy policies, which the agency claims violated the FTC Act for being a deceptive trade practice. But the FTC has also brought cases against companies that have failed to take adequate precautions to protect consumer information, alleging that such failure was unfair to consumers, since they could not reasonably avoid the harm that may result from such inadequacies.

But therein lies the rub. How can the FTC claim that a company has not adequately protected consumer information if it and Congress have not given industry specific guidance to follow?

Two companies took the FTC to task on this issue by challenging the agency's authority to bring data security enforcement cases in the absence of clear and prior guidance. Both of these cases have recently reached resolution, with differing, though logical, results.

Last summer, in a case that e-Commerce Law & Strategy has been following, the U.S. Court of Appeals for the Third Circuit upheld a district court's finding that the FTC does have the authority to review and scrutinize a company's data security practices under Section 5 of the FTC Act. The FTC sued Wyndham Worldwide Corporation in federal district court in December 2012 for failing to employ reasonable and appropriate protections for consumer information, which resulted in several data breaches and caused “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss.”

Wyndham moved to dismiss the action by challenging the FTC's authority to bring claims under Section 5 in the absence of specific and particular data security standards. The district court rejected Wyndham's motion and the Third Circuit affirmed. FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).

Three months later, an FTC administrative law judge ruled against the agency in a case involving a cancer-screening laboratory's failure to adequately protect sensitive consumer information. In the Matter of LabMD Inc., No. 9357 (Nov. 13, 2015). The ALJ dismissed the agency's August 2013 complaint alleging that LabMD failed to employ “reasonable and appropriate” data security for consumer information, which “caused, or is likely to cause substantial injury to consumers.” Like Wyndham, the FTC investigation followed several breaches by LabMD that collectively exposed personal information of approximately 10,000 consumers. The FTC's complaint alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network, and company documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.

The complaint concluded that LabMD's alleged failure to employ such measures amounted to an unfair trade practice under the FTC Act by causing, or being likely to cause, substantial harm to consumers that is not reasonably avoidable by consumers or outweighed by benefits to consumers or competition. The ALJ disagreed, finding that “FTC complaint counsel had failed to carry its burden of proving that LabMD's alleged failure to employ reasonable data security constitutes an unfair trade practice, because complaint counsel failed to prove that the allegedly unreasonable conduct caused or was likely to cause substantial injury to consumers.” He added: “At best, Complaint Counsel has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) [of the FTC Act] requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.” Id.

This matter is far from over, since the FTC has appealed the decision to the full FTC Commission, which will likely result in the decision being overturned. But the ALJ's finding does fall in line with a string of cases questioning whether regulatory investigations and class actions are appropriate where no harm resulted from an actual or potential data breach.

While these decisions may appear conflicting, they address very different issues and are in fact mutually exclusive. Wyndham involved actual proven consumer harm whereas LabMD did not. Query whether the Third Circuit and the lower court would have upheld the FTC's authority to prosecute inadequate security practices in the absence of provable and discernible harm. The lack of harm was very much the centerpiece issue for the FTC's ALJ in LabMD.

Regardless of the final outcome of these cases, companies that collect and maintain consumer information, particularly sensitive information such as account numbers, must develop and implement sound data security policies and procedures designed to prevent unauthorized breach and intrusion. In the absence of statutory prescriptions to follow, the FTC has published a document that many consider to be a treasure map to the FTC's secret vault of security expectations.

This document, titled “Start with Security: A Business Guide,” follows a series of FTC workshops and papers involving privacy and data security. It highlights the following 10 practical lessons that can be drawn from over 50 data security cases the agency has brought over the last decade.

1. The FTC urges companies to factor security into every aspect of their business, especially when developing data collection, retention and use policies. Specifically, companies should not collect unneeded personal information, should only retain collected information for as long as needed, and should not use such information for unnecessary purposes.
2. Companies should limit access to personal information to only those employees and vendors who need it.
3. Companies should require persons with access to personal data to use strong and effective passwords and employ encryption devices when the nature of the data warrants stronger protection.
4. Companies should maintain sensitive personal information securely throughout its life cycle, both when in storage and when in transit.
5. Companies should design networks to separate internal networks containing consumer information from the Internet and employ intrusion detection software to monitor for malicious activity.
6. Given the explosive growth of telecommuters and vendors that remotely access company networks, companies should secure endpoint security by requiring strong passwords and antivirus software on all remote computers and devices.
7. Companies should employ security sensitivities in all new product development so that engineers and developers consider current and future product uses and scaling. Companies should also consider the platform guidelines on which the products may be run and accessed.
8. Businesses should require third-party service providers to implement appropriate security measures commensurate with the work they will perform and the data to which they will have access and should monitor their activity.
9. Companies should keep antivirus and third-party software updates current, implement required patches as quickly as possible, and take network vulnerability warnings seriously.
10. Finally, companies should apply the same level of sensitivity and diligence to office hardware and paper files as they would electronic files. Specifically, they should develop and implement security policies for the storage of files and hardware while on and off company premises as well as the destruction of such materials when no longer needed.

Conclusion

Data breaches are the new reality. As hackers continue to develop technological capabilities faster than data protection specialists can, and companies increasingly allow remote access to corporate networks by employees and vendors, it is virtually impossible to protect these networks from unauthorized attacks. But, following the FTC's guidance outlined above will go a long way in preventing such events from occurring. In the event of a breach and a follow-on FTC inquiry, being able to show that this guidance was followed might stave off a full regulatory investigation and consent agreement. And better yet, following the guidance just makes good business sense.

Marc S. Roth is a partner in the advertising, marketing and media division of Manatt, Phelps & Phillips in New York. He can be reached at [email protected].