IAPP-GDPR Web Banners-300x250-FINAL

By Julie Sartain

Inside 1 to 1: PRIVACY talked to Morrison & Foerster’s D. Reed Freeman, CIPP/US, an active IAPP member and editor of the Privacy Tracker, regarding Federal Trade Commission v. Wyndham Worldwide Corporationspecifically, the Count II “unfairness” claimand Wyndham’s motion to dismiss.

Inside 1 to 1: PRIVACY: Wyndham asserts that the FTC assumes it has authority and that Congress did not give FTC the authority to regulate data security. Is that correct?

Freeman: That is essentially right. Wyndham argues that Congress has enacted a number of data security laws applicable to specific sectors but that it has failed to enact a general substantive data security law, and therefore, according to Wyndham, Congress has delegated to itself the authority to create data security laws and has not left it to the FTC to fill in the gaps, especially using its unfairness authority.

Inside 1 to 1: PRIVACY: Isn't the issue here not whether there was harm done but whether the FTC has the authority to make this determination?

Freeman: Wyndham's primary argument is that the FTC does not have the authority to enforce substantive data security law through its unfairness authority. Section 5 of the FTC Act allows for two causes of action. One is deception. Deception requires a representation or omission about a material fact that's likely to mislead a reasonable consumer under the circumstances. They brief it, and they argue that they haven't deceived anybody with their statements and that this cause of action should go away.

But the real fight here—the one that could affect the FTC’s authority in future cases—is over whether the FTC has authority to say, in absence of any representation about data security, that not having good enough security is unfair as a matter of law. Wyndham argues that if the FTC were going to declare what information security practices are unfair, and therefore illegal, it has to give industry some notice, and it can't just do that in an enforcement action by saying this practice or that practice wasn't good enough. Wyndham's argument is that the FTC hasn't given enough guidance on what practices do and do not violate Section 5’s unfairness prong as it relates to information security.

The FTC has, in fact, given a substantial amount of informal guidance on information security best practices but not in any type of formal guide such as its “Made in the USA” guides or the recently updated “Green Guides,” which interpret the FTC’s Section 5 authority in specific areas or fact patterns. What the FTC can do is issue a guide and/or it can also issue informal business guidance, which might say, for example, "It's important to have good security, and these are good security practices." The FTC has issued a lot of the latter and a lot of data security business guidance, but it has not issued a trade regulation rule, and it has not issued a formal guide.

Wyndham's argument is that the FTC has brought enforcement actions where it alleged certain enumerated acts and omissions amount to a Section 5 violation but that the FTC can't just continue to make what amounts to a common law trade regulation rule through enforcement actions that settle. It needs to give businesses more notice than that.

Inside 1 to 1: PRIVACY: Can you explain the report by the FTC in 2000 that disclaims its authority to mandate data-security standards?

Freeman: The FTC actually issued a couple of reports in 2000. The one this question refers to was calling for privacy legislation under the Fair Information Practice Principles. The FTC's position was, we don't have authority under Section 5 and the FTC Act to enact a full-fledged privacy and data security trade regulation rule that would require consumers to be entitled to the full panoply of protections under, what was then considered to be, fair information practices, which included notice, choice, access and security. Security was one of the elements that the FTC called for Congress to include in a full, generally applicable, privacy statute, and it did call for Congress to take action at that time.

Inside 1 to 1: PRIVACY: The issue of who or what has the authority to regulate has been the topic of several recent (2011) bills, none of which passed; therefore, to assume that the FTC already has authority would offend common sense. Do you agree?

Freeman: Here's the problem with using unfairness in the data security context. Some of the early unfairness actions that seemed to be noncontroversial were a unilateral contract breech. There's a case, International Harvester, where a company had a contract with consumers and unilaterally changed the terms of the contract to the detriment of consumers. The FTC's point was you can't do that; it's not fair. And that is not a controversial position. I think we would all agree that a unilateral change of specific contract terms where consideration was paid is probably an appropriate use of unfairness in most circumstances.

Now, fast forward to today, where it is using unfairness to say your failure to do these things and not to do those things, together, amounted to unfairness, and therefore, a violation of Section 5. This is much trickier because information security is incredibly dynamic; the technology is complex; the state-of-the-art changes with rapidity, and the state of risks—with those who would break into systems or do insider jobs—changes and becomes more complex all the time.

It's a reasonably sympathetic argument, at least in the abstract, to say without adequate notice of what the FTC's minimum standards are in order to avoid violation of law, companies are essentially operating in the dark, and they do the best they can, hoping that, if there is a breech, the government will find that they did enough to safeguard against reasonably anticipatable unauthorized access to consumers’ personal information. But what the government has done, according to Wyndham, so far, is give informal guidance and bring a number of enforcement actions that settled but never really defined—in any formal way—what Section 5 requires and prohibits in terms of information security.

Inside 1 to 1: PRIVACY: Why not more cut-and-dry? Why isn't it more specific?

Freeman: I think the government would say it is doing the best it can to give the most guidance it can in a dynamic environment, and it only brings those cases where it thinks the violation, or the inadequacy, was obvious. It would say that it passes on a lot of cases. In other words, it doesn't bring every case; it doesn't bring every action where there was a farfetched attack that nobody could have anticipated. The government would say that it brings the ones that it thinks should have been reasonably anticipated, and the rejoinder to that is, hey government, what you may think was reasonably anticipated is with the benefit of hindsight.

Inside 1 to 1: PRIVACY: If Wyndham is successful, and the courts determine that the FTC does not have the authority to regulate under the unfairness prong, then what? What will be the consequences on current privacy issues if Wyndham wins? Who will regulate these actions—or inactions? Wouldn't Congress have to enact new laws to cover privacy issues and data security?

Freeman: Most FTC cases brought in the privacy and data security area have, at least, an element of deception within the pleadings. In other words, not that many FTC privacy and data security cases stand alone on an unfairness charge. In fact, the Wyndham case itself has both deception and unfairness pled in it.

So it's only about the marginal set of cases where the FTC is relying entirely on unfairness. And I think the FTC may have to rethink entirely how it proceeds and whether it wants to use unfairness in data security cases. But that doesn't mean it can't use deception, and also, it doesn't mean it can't use unfairness elsewhere.

Inside 1 to 1: PRIVACY: So, it won't take the FTC out of the loop, but will it set a precedent?

Freeman: It could set an important precedent on the limits of unfairness as a cause of action. But it's unlikely to destroy the FTC's ability altogether to use unfairness, because that's not what's on the table. What's on the table is whether unfairness is an appropriate cause of action under these facts and circumstances. But there are many other instances when the FTC uses unfairness that may well survive because these are not at issue and don't suffer from the same kinds of difficulties that Wyndham raises in its pleadings.

Inside 1 to 1: PRIVACY: Wyndham says it did not engage in deception and that unfairness is a completely inappropriate cause of action. Do you agree?

Freeman: I think it's a good argument, and we'll see. I think if side loses, it's going to go to the court of appeals and a three-judge panel of the court of appeals will ultimately decide this case. But if the FTC loses, it is not going to just accept the defeat.

This would be a meaningful defeat for the FTC. It would appeal to the court of appeals. And courts of appeal are notable for issuing narrow opinions. So I would expect, ultimately, the prevailing decision in this case, whether it's at the district court or the court of appeals, to be as narrow as possible and limit to data security and limit to, as close as possible, the facts of this case.

And that the worst case outcome to the FTC could be severe restriction of its ability to use unfairness and data security cases and, perhaps, other cases. And I think it's highly unlikely that the ultimate decision in this case strips the FTC from its use of unfairness authority altogether.

Julie Sartain, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO, The Privacy Advisor and Inside 1 to 1: Privacy.


If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»