Like a group of blind men encountering an elephant—one touching the trunk and thinking “snake,” another feeling a tusk and thinking “sword,” a third caressing an ear and thinking “sail”—so do commentators, lawyers and industry players struggle to identify what “reasonable data security” practices mean in the eyes of the Federal Trade Commission (FTC). In the absence of federal legislation or regulatory guidance, the reasonableness standard is assessed on a case-by-case basis through a string of FTC enforcement actions, 47 so far, by which the agency provides the public with glimpses into its regulatory interpretation.
In the study accompanying this post, Westin Research Fellow Patricia Bailin, CIPP/US, pieces together the most comprehensive view to date of the FTC’s reasonable data security standards.
The study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training.
This is the second time the IAPP has distributed the study. It was published as an article for The Privacy Advisor in September and drew strong reaction from the privacy and data security community. Now it is available as a pdf that is easier to distribute and use as a tool in your organization. It is part of the Westin Research Center’s project to create a casebook of FTC privacy and security enforcement actions, a web-based resource making available more than 150 FTC cases, together with more than 1,000 associated documents, in full-text searchable format, tagged, indexed and annotated with headnotes, footnotes and cross-theme overviews.
The FTC’s approach to data security has been a source of contention. Businesses argue that the FTC is exceeding its bounds, enforcing against a backdrop of sparse regulatory guidance and the absence of legislative rules. At the same time, some of those same businesses try to forestall any effort to legislate data security standards, arguing that such standards would quickly ossify as security threats and technology evolve. It is no secret that the Magnuson-Moss rules, which impose cumbersome procedural requirements on the FTC’s rule-making powers, render the prospect for formal data security rules remote at best.
The FTC’s response to critics, who lament the lack of a baseline data security standard, is to point to its string of enforcement actions for guidance on what is right or wrong. Indeed, in an influential article, Professors Dan Solove and Woody Hartzog argued that the body of work of FTC enforcement actions constitutes a “common law,” a living fabric of jurisprudence that develops privacy and data security standards on a case-by-case basis. In a recent article, Solove and Hartzog argue strongly for more expansive enforcement efforts by the FTC, suggesting that the agency typically picks low-hanging fruit, focusing on the most egregious offenders and enforcing the most widespread industry norms. They would like to see the FTC push the envelope more.
The common law analogy is limited, given the unique features of administrative adjudication by the FTC. As law students know well, when learning the common law of contracts or torts, the important takeaway is not the result of a given case but rather the reasoning behind it. The modern concept of negligence, a breach of a duty of care causing harm to a plaintiff, lives long after anyone bothers to remember whether it was Donoghue or Stevenson who found a dead snail in her bottle of ginger. Yet the FTC’s enforcement actions, with their one-sided pleadings—the complaint is made public but the defendant’s arguments are not—and minimalistic consent decrees, yield little more than a bottom-line result with little, if any, legal reasoning.
Moreover, even the results of the FTC’s enforcement actions are not necessarily representative, since only cases that are settled—or, very rarely, litigated—become publicly available. The FTC’s closing letters remain confidential. This serves the mutual interests of both the defendants and the FTC. Investigated businesses prefer to stay out of the limelight. And the FTC is loath to have the reasons for closing an investigation “used against it” in future proceedings, which might feature changed circumstances or additional facts.
With the current study, the Westin Research Center steers clear of the normative fray. It makes a modest claim—that regardless of jurisprudential theory, something can be learned from the FTC’s four-dozen data security decisions. Like the men feeling part of the elephant, we know what we know, that is, that certain practices can get you in trouble. Like those men, we don’t know what we don't know, that is, whether other practices that have not yet been addressed by the FTC are “reasonable” or not. (In fact, we don't even know whether there is an elephant, that is, a comprehensive FTC data security standard). Even in those cases that have been pursued, we don't know how high the reasonableness bar is set. Would it be enough for a company to elevate its game by just an increment to clear the reasonableness standard? Or does it have to climb several steps to clear the bar?
Next Tuesday, the IAPP’s New York KnowledgeNet devotes a meeting to the Westin Research Center study, including participation by FTC Bureau of Consumer Protection Deputy Director Daniel Kaufman who will discuss the findings and their implications. Participation is free; register here.
If you want to comment on this post, you need to login.