“The U.S. has no national data protection authority.” Ask an EU official why he or she believes the EU’s data protection system to be superior to the U.S. model, and that will be at or near the top of the list. But tell that to Google. Or TJX. Or CBR Systems. Or any of the dozens of other companies that have been pursued by the U.S. Federal Trade Commission (FTC) over the past several years for alleged data security or privacy violations.
The FTC has made itself America’s de facto Data Protection Authority (DPA) through aggressive use of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC has charged companies victimized by data breaches with unfair or deceptive trade practices on the theory that the breaches were the result of the companies’ failure to adopt reasonable security measures. The companies targeted by the FTC in these cases run the gamut from healthcare to hospitality to retailers to social media and other Internet companies. Thus far the FTC is batting a thousand, largely because the defendants in all but two of the cases have opted for settlements and consent decrees rather than proceeding to litigation.
But in a case pending in New Jersey federal court, Wyndham Hotels is challenging the FTC’s authority to enforce data security standards, arguing that the FTC’s practice of accusing companies of unfair trade practices for not adopting “reasonable” cybersecurity practices is itself unfair when there are no rules defining what “reasonable” is. LabMD has also indicated that it plans to challenge the FTC’s authority in a case filed in August.
The FTC’s goals are certainly worthy. But Wyndham and LabMD symbolize the frustration felt by many companies that have suffered breaches and feel that the FTC is blaming them—the victims—for not doing more to have prevented those breaches. Many breach victims argue, quite reasonably, that the fact that they were hacked does not mean they did anything wrong or lacked reasonable security measures; on the contrary, even companies with the best cybersecurity in the world get hacked. So being victimized by an FTC investigation after being victimized by a breach is adding insult to injury.
The breadth and depth of the FTC’s focus on data privacy and security is impressive. Indeed, in just the past few months, the FTC:
- Announced a consent decree in its first-ever case involving the “Internet of Things,” an action brought against TrendNet for privacy violations relating to Internet-connected video cameras;
- Unsealed the complaint against LabMD arising from two breaches affecting approximately 10,000 customers;
- Announced that it is looking into sponsored ads on websites and apps; and
- Entered into an Memorandum of Understanding with Ireland’s Data Protection Commissioner to promote cooperation in cross-border enforcement.
In addition, FTC Chairman Edith Ramirez and Commissioner Julie Brill have both spoken or written recently about the FTC’s intention to focus on privacy issues with “Big Data,” with Ramirez suggesting that the FTC would be targeting “Big Data” companies like “a lifeguard on the beach.”
Just last month, in a speech at a conference of the Advertising Self-Regulatory Council, Jessica Rich, director of the FTC’s Consumer Protection Bureau, signaled that when it comes to online privacy, the FTC is “not going anywhere.” Among other things, Rich highlighted the FTC’s commitment to pursuing privacy issues involving Big Data and mobile and other online advertising. (As a personal aside, when I was at the Justice Department I testified alongside Rich at a Senate Judiciary Subcommittee hearing on cellphone location privacy, and she is the real deal. She is a thoughtful, determined privacy advocate, and no one should doubt that under her leadership the FTC is going to be as active as ever.)
The privacy world is watching the Wyndham case closely. But whatever the outcome of that litigation, no one should expect the FTC to back off its aggressive privacy posture. Even if Wyndham prevails, it seems reasonable to expect that there will be a legislative response, with Congress making the FTC’s authority in this space clear. Moreover, the Obama administration’s efforts to promote a Consumer Privacy Bill of Rights, with the FTC as chief enforcer, reflect the administration’s commitment to a robust role for the FTC in protecting data privacy. And in the aftermath of the Snowden leaks, a strong FTC is arguably helpful to U.S. efforts to preserve the U.S.-EU Safe Harbor and to battle the perception of the U.S. as weak on privacy enforcement.
Like it or not, America’s de facto DPA is here to stay. And even if the FTC’s power were somehow limited, there are any number of state attorneys general—led by California’s—who are eager to pursue data breaches involving their states’ citizens, and for whom the statutory authority to do so is perfectly clear.
So in this “blame-the-victim” environment, companies should be proactive—working with outside counsel to review their data security and privacy posture now, before a breach occurs. Not only will such a review mitigate the risk of a breach, but it will also put the company in the best possible litigation position if a breach does occur, making it much less likely that the FTC, a state AG or a court will find that the company failed to act reasonably to protect its data.