By Julie Sartain
Inside 1 to 1: PRIVACY talked to Morrison & Foerster’s D. Reed Freeman, CIPP/US, an active IAPP member and editor of the Privacy Tracker, regarding Federal Trade Commission v. Wyndham Worldwide Corporation—specifically, the Count II “unfairness” claim—and Wyndham’s motion to dismiss.
Inside 1 to 1: PRIVACY: Wyndham asserts that the FTC assumes it has authority and that Congress did not give FTC the authority to regulate data security. Is that correct?
Freeman: That is essentially right. Wyndham argues that Congress has enacted a number of data security laws applicable to specific sectors but that it has failed to enact a general substantive data security law, and therefore, according to Wyndham, Congress has delegated to itself the authority to create data security laws and has not left it to the FTC to fill in the gaps, especially using its unfairness authority.
Inside 1 to 1: PRIVACY: Isn't the issue here not whether there was harm done but whether the FTC has the authority to make this determination?
Freeman: Wyndham's primary argument is that the FTC does not have the authority to enforce substantive data security law through its unfairness authority. Section 5 of the FTC Act allows for two causes of action. One is deception. Deception requires a representation or omission about a material fact that's likely to mislead a reasonable consumer under the circumstances. They brief it, and they argue that they haven't deceived anybody with their statements and that this cause of action should go away.
But the real fight here—the one that could affect the FTC’s authority in future cases—is over whether the FTC has authority to say, in absence of any representation about data security, that not having good enough security is unfair as a matter of law. Wyndham argues that if the FTC were going to declare what information security practices are unfair, and therefore illegal, it has to give industry some notice, and it can't just do that in an enforcement action by saying this practice or that practice wasn't good enough. Wyndham's argument is that the FTC hasn't given enough guidance on what practices do and do not violate Section 5’s unfairness prong as it relates to information security.
The FTC has, in fact, given a substantial amount of informal guidance on information security best practices but not in any type of formal guide such as its “Made in the USA” guides or the recently updated “Green Guides,” which interpret the FTC’s Section 5 authority in specific areas or fact patterns. What the FTC can do is issue a guide and/or it can also issue informal business guidance, which might say, for example, "It's important to have good security, and these are good security practices." The FTC has issued a lot of the latter and a lot of data security business guidance, but it has not issued a trade regulation rule, and it has not issued a formal guide.
Wyndham's argument is that the FTC has brought enforcement actions where it alleged certain enumerated acts and omissions amount to a Section 5 violation but that the FTC can't just continue to make what amounts to a common law trade regulation rule through enforcement actions that settle. It needs to give businesses more notice than that.
Inside 1 to 1: PRIVACY: Can you explain the report by the FTC in 2000 that disclaims its authority to mandate data-security standards?
Freeman: The FTC actually issued a couple of reports in 2000. The one this question refers to was calling for privacy legislation under the Fair Information Practice Principles. The FTC's position was, we don't have authority under Section 5 and the FTC Act to enact a full-fledged privacy and data security trade regulation rule that would require consumers to be entitled to the full panoply of protections under, what was then considered to be, fair information practices, which included notice, choice, access and security. Security was one of the elements that the FTC called for Congress to include in a full, generally applicable, privacy statute, and it did call for Congress to take action at that time.
Inside 1 to 1: PRIVACY: The issue of who or what has the authority to regulate has been the topic of several recent (2011) bills, none of which passed; therefore, to assume that the FTC already has authority would offend common sense. Do you agree?
Freeman: Here's the problem with using unfairness in the data security context. Some of the early unfairness actions that seemed to be noncontroversial were a unilateral contract breech. There's a case, International Harvester, where a company had a contract with consumers and unilaterally changed the terms of the contract to the detriment of consumers. The FTC's point was you can't do that; it's not fair. And that is not a controversial position. I think we would all agree that a unilateral change of specific contract terms where consideration was paid is probably an appropriate use of unfairness in most circumstances.
Now, fast forward to today, where it is using unfairness to say your failure to do these things and not to do those things, together, amounted to unfairness, and therefore, a violation of Section 5. This is much trickier because information security is incredibly dynamic; the technology is complex; the state-of-the-art changes with rapidity, and the state of risks—with those who would break into systems or do insider jobs—changes and becomes more complex all the time.
It's a reasonably sympathetic argument, at least in the abstract, to say without adequate notice of what the FTC's minimum standards are in order to avoid violation of law, companies are essentially operating in the dark, and they do the best they can, hoping that, if there is a breech, the government will find that they did enough to safeguard against reasonably anticipatable unauthorized access to consumers’ personal information. But what the government has done, according to Wyndham, so far, is give informal guidance and bring a number of enforcement actions that settled but never really defined—in any formal way—what Section 5 requires and prohibits in terms of information security.
Inside 1 to 1: PRIVACY: Why not more cut-and-dry? Why isn't it more specific?
Freeman: I think the government would say it is doing the best it can to give the most guidance it can in a dynamic environment, and it only brings those cases where it thinks the violation, or the inadequacy, was obvious. It would say that it passes on a lot of cases. In other words, it doesn't bring every case; it doesn't bring every action where there was a farfetched attack that nobody could have anticipated. The government would say that it brings the ones that it thinks should have been reasonably anticipated, and the rejoinder to that is, hey government, what you may think was reasonably anticipated is with the benefit of hindsight.
Inside 1 to 1: PRIVACY: If Wyndham is successful, and the courts determine that the FTC does not have the authority to regulate under the unfairness prong, then what? What will be the consequences on current privacy issues if Wyndham wins? Who will regulate these actions—or inactions? Wouldn't Congress have to enact new laws to cover privacy issues and data security?
Freeman: Most FTC cases brought in the privacy and data security area have, at least, an element of deception within the pleadings. In other words, not that many FTC privacy and data security cases stand alone on an unfairness charge. In fact, the Wyndham case itself has both deception and unfairness pled in it.
So it's only about the marginal set of cases where the FTC is relying entirely on unfairness. And I think the FTC may have to rethink entirely how it proceeds and whether it wants to use unfairness in data security cases. But that doesn't mean it can't use deception, and also, it doesn't mean it can't use unfairness elsewhere.
Inside 1 to 1: PRIVACY: So, it won't take the FTC out of the loop, but will it set a precedent?
Freeman: It could set an important precedent on the limits of unfairness as a cause of action. But it's unlikely to destroy the FTC's ability altogether to use unfairness, because that's not what's on the table. What's on the table is whether unfairness is an appropriate cause of action under these facts and circumstances. But there are many other instances when the FTC uses unfairness that may well survive because these are not at issue and don't suffer from the same kinds of difficulties that Wyndham raises in its pleadings.
Inside 1 to 1: PRIVACY: Wyndham says it did not engage in deception and that unfairness is a completely inappropriate cause of action. Do you agree?
Freeman: I think it's a good argument, and we'll see. I think if side loses, it's going to go to the court of appeals and a three-judge panel of the court of appeals will ultimately decide this case. But if the FTC loses, it is not going to just accept the defeat.
This would be a meaningful defeat for the FTC. It would appeal to the court of appeals. And courts of appeal are notable for issuing narrow opinions. So I would expect, ultimately, the prevailing decision in this case, whether it's at the district court or the court of appeals, to be as narrow as possible and limit to data security and limit to, as close as possible, the facts of this case.
And that the worst case outcome to the FTC could be severe restriction of its ability to use unfairness and data security cases and, perhaps, other cases. And I think it's highly unlikely that the ultimate decision in this case strips the FTC from its use of unfairness authority altogether.
Julie Sartain, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO, The Privacy Advisor and Inside 1 to 1: Privacy.