One of the most important – and contentious – issues on the FTC docket is the determination of whether a given data security practice is reasonable or not. The FTC views the employment of unreasonable data security practices an unfair trade practice actionable under Section 5 of the FTC Act. How will you know whether your practices are up to par? Businesses have argued that the FTC has not provided sufficient clarity; the FTC has responded by referring the industry to its growing body of enforcement actions, more than 50 of which address data security. The instruction is simple enough: Don’t do what we deemed unreasonable in one of those cases.
Okay. But how will you know what the FTC deemed unreasonable in dozens of enforcement actions? As seasoned privacy experts, you can of course go to the FTC website to seek, download and plough through all of the more than 180 FTC privacy and data security cases. But, as of last week, there’s a far better way: The IAPP Westin Research Center has launched its FTC Casebook, which is available at no additional charge to IAPP members. The Casebook makes the task of determining what the FTC regards as reasonable data security seamless, even fun! A digital resource, the FTC Casebook contains all of the FTC enforcement actions in the field, tagged, indexed, full-text searchable and annotated. Don’t take our word for it: Professor David Vladeck, former Director of the Bureau of Consumer Protection at the FTC, called it a “game changer.”
Here’s how you might approach your research into reasonable data security practices. (For a step-by-step introduction to the FTC Casebook’s functionality, see this video prepared by the IAPP Westin Research Center). You can begin your search by checking the “data security” tag. The Casebook’s tag search functionality is a convenient way to filter cases. It is equivalent to searching the index of a hard copy book, a favorite exercise of lawyers in the old days, when casebooks were printed on paper and spanned multiple volumes hundreds of pages each (save the forests!). By tagging “data security,” you immediately narrow the scope of your search three-fold, to 55 cases – not a bad day (ahem, minute) at work.
As you can see, the results page features a summary of each case, its date and a complete list of the tags associated with it. You could use this list for some tag-surfing. You quickly notice, for example, that the first two cases that come up, Snapchatand Credit Karma, both list the “software” industry tag. If you click on that tag in the cases’ tag list, you get the 17 cases the FTC has brought against companies in the software industry. If you click on the “software” tag on the side-bar together with the “data security” tag, you get the cross-section of both searches; i.e., the six cases involving data security AND software companies. Hence, tag searches allow you to cross various industry sectors against the data security cases to discover that 12 data security cases were brought against financial companies, eight against companies dealing with health information (recently, GMR Transcription), two against data brokers (Reed Elsevierand Choicepoint) and two against social networking sites (Myspaceand Twitter).
Instead of slicing the data security cases by industry, you may do so by legal theory. As you probably know, the FTC Section 5 jurisprudence is divided between cases asserting deception and those alleging unfairness. Assume you are only interested in the unfairness cases; i.e., your company’s public statements concerning its practices are picture perfect, fully reflecting the reality on the ground, yet you are concerned that that reality may not rise to the standards the agency expects. In this case, you would add the “unfairness” tag to your search, which already selected “data security.” By glancing at the results, you quickly see that in these cases, the FTC refers to industry standards as a yardstick for assessing the reasonableness or fairness of companies’ practices.
Keeping the current tags selected, let’s enter a full text search for the term “industry standards.” Full text searches of the FTC Casebook containing multiple terms (for example, “industry practices” and “operating system”) are “OR” searches, meaning that the results page will list cases featuring one term or the other. Notice, however, that by default the results are ordered by relevance, meaning that the cases at the top of the list tend to feature all of the terms, much like an “AND” search does. In the present case, by combining two tags and a full text search term, you obtain the results that were tagged and contained the selected term. As you can see, there are three cases that meet all of these criteria: Wyndham, Twitterand BJ’s.
Alternatively, assume that the potentially deficient data security practices are not even your own company’s, but rather those of a service provider you have hired. In this case, you can clear the full-text query and add an additional tag, “indirect liability” (under the “Legal Issues” group of tags) to the two tags already selected (“data security” and “unfairness”). Now, you have the seven FTC data security cases alleging unfairness and involving a theory of indirect liability.
After having gone through these exercises, we hope you feel equipped to handle your own search. The IAPP Westin Research Center is eager to hear about your experience and address any questions or comments you may have. In the meantime, let us offer a shortcut for your research about reasonable data security practices. In a research paper dated a couple of months ago, Westin Research Fellow Patsy Bailin pieced together a comprehensive view of the FTC’s reasonable data security standards. Her analysis suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the FTC’s tersely phrased settlement orders, Bailin parsed the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training.
The IAPP’s FTC Casebook is your best resource for researching the FTC’s privacy and security complaints and consent decrees. Find it here.
If you want to comment on this post, you need to login.