It was billed at as the “toughest debate in town,” and Meal vs. Mithal did not disappoint. At the IAPP’s Global Privacy Summit in early April, Omer Tene, VP of Research and Education at the IAPP, moderated a discussion between Douglas Meal, partner at Ropes & Gray, and Maneesha Mithal, associate director for the Division of Privacy and Identity Protection at the FTC. Meal and Mithal were at odds as they debated the scope of the FTC’s authority under Section 5 of the FTC Act, and, particularly, FTC v. Wyndham.  

The conversation started with a bang as both Meal and Mithal gave their opinion on the Wyndham case. Decided in late 2015, the U.S. Court of Appeals for the Third Circuit affirmed a district court finding that the hotel chain Wyndham employed insufficient data security practices resulting in three data breaches in less than two years.

Meal, who served as counsel for Wyndham during the case, argued that the FTC overstepped its authority under Section 5 of the FTC Act. He asserted that the FTC failed to establish that the breaches caused substantial injury to consumers; one of the three prongs required for a claim of unfairness under Section 5. Meal also maintained that Wyndham Corporation neither collected nor used the breached information; rather, privately owned hotels licensing the Wyndham name were responsible for collecting, using and protecting the personal data that was illegitimately accessed and stolen.

Mithal, on the other hand, contended that the FTC properly exercised its authority under Section 5 in the Wyndham case. Specifically, Mithal argued that the substantial injury prong was met because consumers were inconvenienced by the breach of their financial information, forcing consumers to monitor, assess, and fix financial accounts and auto-pay mechanisms. Mithal said that although inconvenience is not typically substantial injury, based on the principle of time-value of money, the time and effort it takes to address issues associated with a breach is a type of harm that falls within the unfairness scope.

Once both made their initial arguments related to Wyndham, the debate surrounding FTC authority under Section 5 became the main topic. Meal argued that the FTC does not provide proper notice to companies about reasonable information security practices. Unsatisfied with that tack, Tene asked Meal, “What’s wrong with that? You should know to act reasonably, isn’t that the crux of tort law? How much more notice do you need?” Meal contended that some actions would be so unreasonable that specific notice wouldn’t be needed. However, Meal stood firm and said the Wyndham case was not an example of this and that greater notice was necessary because of Wyndham Corporation’s lack of involvement in the collection, use and storage of the breached data.

Some have argued that FTC consent decrees from previous cases serve as a type of common law that should put businesses on notice as to unfair and deceptive acts or practices. Tene challenged this notion, however, as consent decrees are not litigated decisions but settlements. Mithal agreed that consent decrees are not developing a type of common law because those settlements apply only to specific fact patterns. However, she pushed back by saying that the FTC has published guidance for companies on information security for over a decade that is consistent with the elements outlined in many consent decrees.

Harm and substantial injury were also major points of contention between Meal and Mithal. An unfairness claim under Section 5 requires three things, including a finding of an act or practice that causes, or is likely to cause, substantial injury to consumers. Tene pressed both panelists as to what type of injury should fall within the scope of Section 5.

Meal contended that the substantial injury in this context can only be economic. He asserted that Section 5 was never supposed to apply to the type of inconvenient and non-economic harms that Mithal referenced. For example, Meal mentioned that the consumer is protected and will receive a refund if fraudulent purchases are made on their credit card, so no economic injury has occurred.

Mithal fundamentally disagreed and argued that just because a consumer can receive a refund, it does not mean they are not harmed. She maintained that the FTC does not have to prove substantial injury, only that substantial injury is likely to occur. In addition to the financial harm, Mithal asserted that Section 5 was meant to cover some harms beyond financial, like revenge porn. She agreed that Section 5 unfairness was not meant to protect consumers from emotional harm, but believes that injuries resulting from acts like revenge porn are categorically different than mere emotional harm.

The unfairness standard under Section 5 follows a three-part test, but seemingly does not require a showing of culpability. Tene posed to Mithal that if no culpability was required, then is unfairness a strict liability violation? Mithal pushed back arguing that unfairness does not follow a strict liability standard, nor is the FTC a “gotcha organization” looking to punish companies. She said that the FTC investigates business practices and acts thoroughly and often finds them reasonable even when a breach has occurred. Mithal also maintained that although there is no intent requirement under Section 5 unfairness, the unfairness standard is similar to a negligence standard in civil law as it is based on reasonableness.

Although the debate could have raged on for hours, time constraints forced the conversation to end. In a final attempt to challenge the panelists before the session ended, Tene asked Mithal why the FTC was arguing for data security legislation when they already claim to have the authority to regulate it under Section 5? She argued that the FTC does have the authority to regulate in the information security space but there are gaps in said authority. Mithal said that Section 5 does not apply to non-profits, nor does it establish the ability for the FTC to levy civil penalties, and she thinks the FTC needs additional authority to properly and consistently regulate. Lastly, Tene asked Meal to reconcile how those in commerce have argued that current FTC rules are too vague while lobbying against additional legislation? He agreed that those conflicting notions are hard to reconcile, but asserted that a “safe harbor” prescriptive approach would be helpful. He said, business need a “if you do A, B, C, D, then you are sufficient. A framework type model is needed as opposed to vague legislation.”

Mithal responded by saying that the FTC issues security and industry specific guidance for companies that is not vague at all. However, for perhaps the first time in the conversation, Mithal found some common ground with Meal and agreed that a safe harbor framework was worth exploring.

Is that something we’ll see in the near future? Perhaps we’ll find out at the next Global Privacy Summit.