Many in the data privacy and security communities are beginning to comprehend the significance of the Federal Trade Commission v. Wyndham Worldwide Corp. decision. Since the decision, many have weighed in on what has been called the “most important federal court decision on data security enforcement.”
Prior to the ruling, however, the massive data breaches at retail stores like Target and Neiman Marcus triggered a number of federal proposals to enact comprehensive data security laws and regulations. In light of these costly breaches, some legislators stated that developing a comprehensive national strategy to protect data privacy and security “remains one of the most challenging and important issues facing our Nation.” But with Wyndham affirming the Federal Trade Commission’s (FTC’s) current authority and processes to regulate data security under Section 5 of the FTC Act, an interesting question is presented: What effect might this ruling have on data security legislation in the U.S.?
Comprehensive Data Security Legislation
Calls for comprehensive data privacy and security legislation are nothing new, introduced long before the FTC filed suit against Wyndham in 2012. Sen. Patrick Leahy (D-VT), for instance, first introduced a version of his current proposal nine years ago, and has reintroduced some version of it numerous times since, to no avail. However, in the wake of last year’s large-scale data breaches, Congress responded with a significant influx of data privacy and security legislation. A few notable bills include:
- Leahy’s Personal Data Privacy and Security Act of 2014 and its House counterpart introduced by Rep. Carol Shea-Porter (D-NH-01);
- Sen. Jay Rockefeller’s (D-WV) Data Security and Breach Notification Act of 2014; and
- Sen. Thomas Carper’s (D-DE) Data Security Act of 2014.
While these bills vary in scope, definition and substance, they share a few common proposals. First, these proposals would mandate some form of baseline data security safeguards for organizations collecting, maintaining, using or retaining certain types of personal information. Second, they would establish some form of federal breach notification law requiring organizations maintaining personal information to disclose a data breach, under certain circumstances, to affected consumers. Finally, they would provide for explicit rulemaking authority to promulgate rules related to these data security safeguards and breach notification requirements, while also providing civil penalties to enforce these requirements. The FTC commonly receives both rulemaking authority and enforcement abilities under these proposals.
Notably, these legislative proposals are distinct from the FTC’s Section 5 unfairness authority in the data security context, on which Wyndham focuses. As Solove and Hartzog articulate in their recent Columbia Law Review article, the FTC’s unfairness jurisdiction is, in many ways, “quite limited” and has been exercised “judiciously” when it comes to data security. These current proposals would expand the FTC’s reach, no longer limiting it to the “three-part” unfairness test of Section 5(n), and granting the commission the ability to regulate and oversee the required comprehensive data security safeguards—not to mention the added ability to enforce federal breach notification laws.
Additionally, the ability to deter noncompliance with strict civil penalties would now be a possibility. As Commissioner Maureen Ohlhausen has stated, the FTC currently has the authority to seek civil penalties for only data security violations with regards to children’s online information under COPPA, credit report information under the FCRA, or those requirements specifically prescribed in administrative orders. Finally, and a point of much contention during the Wyndham litigation, the FTC would receive explicit Administrative Procedure Act rulemaking authority to promulgate what companies must do in order to comply with the data security requirements under these proposals. The FTC’s current rulemaking process under Section 5—the “Magnuson-Moss” process—has typically been avoided by the commission. Instead, the commission has relied on industry practices, FTC supplemental documentation, and previous consent decrees to articulate whether a companies has adequate data security practices in place.
What Does Wyndham Mean For the Future of Data Security Legislation?
Despite these differences, has Wyndham’s affirmation of the FTC’s regulation process made these proposals unnecessary? Or has ithighlighted the need for these practices to be explicitly enacted?
On the one hand, the Wyndham decision may instill an aura of complacency among lawmakers when it comes to current methods of regulating data security, making it difficult to adopt more robust data security legislation. Paul Rosenweig, for instance, has suggested that whether cybersecurity legislation ever passes Congress “may not matter” now that Wyndham has been decided. For Rosenweig, “the FTC’s authority is clearer, and its efforts stand as the centerpiece of the federal program to compel the business community to adopt more stringent and effective cybersecurity measures.”
Some proponents of strong data security regulations, however, are likely to express an alternative viewpoint. Affirming the FTC’s use of Section 5 in the data security context, while important, was really affirming the status quo for data security regulation. Prior to Wyndham, the FTC had settled more than fifty data security cases, a number of them by way of its Section 5 “unfairness” authority. Absent the FTC’s Section 5 authority, most companies would have no federal obligations to provide consumers reasonable data security. A ruling curtailing FTC activities could have created, as Omer Tene recently stated, a “regulatory vacuum” in the data security space, a vacuum that would occur on the heels of the year dubbed by Symantec as “The Year of the Mega Breach.”
While many were relieved that the court in Wyndham affirmed the status quo, there is still a belief by many that the status quo is just not good enough. After applauding the Wyndham decision in front of the U.S. House of Representatives Energy and Commerce Committee Privacy Working Group, for instance, Commissioner Julie Brill was quick to state that she believes “federal data security legislation is needed and that it would be very useful for this Working Group to consider appropriate legislative proposals.” So those who agree with Commissioner Brill must now explain why comprehensive data security measures still matter and fight a possible belief that additional legislation is no longer necessary. In a sense, affirming the FTC’s current methods, as Wyndham has, may make adopting more comprehensive data security legislation a bit more difficult.
On the other hand, some who believe that Wyndham was wrongly decided could point to the decision and call for legislation reforming the FTC’s existing processes. For instance, TechFreedom President Berin Szoka believes that the decision “miss[ed] the point,” and argues that the issue was never whether FTC had the authority to regulate data security practices under Section 5, but rather, how the FTC explained its analysis for determining whether data security practices amount to an unfair or deceptive trade practice. For Szoka, the fifty data security settlements and a “skimpy ‘guidance brochure’” don’t cut it. “If the courts do not force the FTC to apply greater analytical rigor in what it increasingly calls a ‘common law’ of data security and privacy,” Szoka stated, “it will fall to Congress to reform the FTC’s processes to ensure greater checks on the agency’s discretion.” Overall, Wyndham may be a battle cry to Congress for those who believe that the FTC should have a process that better articulates to companies whether their data security practices meet regulatory standards.
But at the end of the day, it seems as if comprehensive data security legislation coming to fruition is unlikely, regardless of Wyndham. Again, even before Wyndham, many had tried and failed to pass comprehensive data security reform and it doesn’t seem like that trend is changing anytime soon. Attention also seems to have heavily focused on addressing government surveillance reform, an issue that can sometimes eclipse the private sector data security conversation. The fact that this is an election year may also dictate the fate of data security legislation. Alysa Zeltzer Hutnik, a partner at Kelley Drye & Warren, recently told Bloomberg that there are “dim prospects” for data security legislation in the near future, “given that an election year is coming up and lawmakers have been unable to reach agreement on many issues lately.”
Conclusion
This, of course, is all conjecture. It’s not quite clear what effect Wyndham will actually have on data security legislation, if any at all. It could instill an aura of complacency among lawmakers that will make legislation harder to adopt. It could also be a catalyst for future reform. Or, it could be completely irrelevant to whether legislation is passed. It’s also important to note that the ruling simply addressed Wyndham’s motion to dismiss the case, and later court rulings (or a possible appeal) could greatly change perspectives on how this case may inevitably effect data security legislation. The possibilities are endless! I for one will be interested to see how these current proposals progress through Congress, and whether Wyndham plays a role.