In this post we are going to examine the rules used to determine whether the Federal Trade Commission’s “Reasonable Precautions” cybersecurity standard gives businesses fair notice of what they have to do to adequately protect their customers’ information from data breaches. The short answer is that businesses have to watch how the FTC enforces the standard, and act accordingly.
In subsequent posts we will examine whether the standard supplies the required notice by exploring how, and whether, the FTC has enforced the standard, as well as what if anything businesses can, and are, doing to comply with it and protect themselves.
The two main cases that have made the news recently regarding the FTC’s cybersecurity standard are the FTC’s administrative trial against LabMD, Inc. that we spoke about last time, and the FTC’s suit against Wyndham Worldwide Corp and its three subsidiaries, which is entitled Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. Both LabMD and Wyndham reportedly challenged the FTC’s right to enforce any such cybersecurity standard and have argued that even if it can, the standard is too vague, so that no business can know what it has to do to comply with it.
The FTC argues that it has the right to enforce the Reasonable Precautions standard under its authority pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce. It basically argues that:
- A business that doesn’t take reasonable precautions to protect its customers’ data is acting unfairly because that failure meets the statutory definition of unfair acts or practices found in 15 U.S.C. § 45(n): it causes or is likely to cause substantial injury to consumers which they cannot reasonably avoid and it is not outweighed by countervailing benefits to consumers or competition;
- Reasonableness is a sufficiently clear standard; but.
- Reasonableness can be decided, and enforced, on a case by case basis.
The FTC’s arguments were summarized in the Wyndham case in the April 7, 2014 decision of U.S. District Judge Esther Salas. The decision, which denied the motion brought by one of the defendants, Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”), to dismiss the complaint, states:
In response the FTC argues that, in the data-security context, “reasonableness is the
touchstone” and that “unreasonable data security practices are unfair.” (FTC’s Opp. Br. at 17). The FTC contends that the Court can evaluate the reasonableness of Hotels and Resorts’ data-security program in view of the following guidance: (1) industry guidance sources that Hotels and Resorts itself seems to measure its own data-security practices against; and (2) the FTC’s business guidance brochure and consent orders from previous FTC enforcement actions. (Id. at 17-20).
The FTC also asserts that data-security standards can be enforced in an industry-specific,
case-by-case manner and, further, that it has the discretion to enforce the FTC Act’s prohibition of unfair practices through individual enforcement action rather than rulemaking. (Id. at 20, 22). And it argues that the “ascertainable certainty” standard does not apply–but that even if it did, reasonableness provides ascertainable certainty to companies. (11/7/13 Tr. at 74:7-19, 153:1-6; Jnt. Supp. Br. at 9 n.2).
Likewise, the rules for determining whether an agency’s standard of care adequately notifies a business of the rules with which it must comply, were set out in detail in the Wyndham case in the same April 7, 2014 decision of U.S. District Judge Esther Salas:
Undoubtedly, “laws which regulate persons or entities must give fair notice of conduct that is forbidden or required.” Fox Television Stations, 132 S. Ct. at 2317; see also Christopher v. SmithKline Beecham Corp., 132 S. Ct. 2156, 2168 (2012) (“It is one thing to expect regulated parties to conform their conduct to an agency’s interpretations once the agency announces them; it is quite another to require regulated parties to divine the agency’s interpretations in advance or else be held liable when the agency announces its interpretations for the first time in an enforcement proceeding and demands deference.”); Fabi Constr. Co. v. Sec’y of Labor, 508 F.3d 1077, 1088 (D.C. Cir. 2007) (“Even if the Secretary’s interpretation were reasonable, announcing it for the first time in the context of this adjudication deprives Petitioners of fair notice. Where, as here, a party first receives actual notice of a proscribed activity through a citation, it implicates the Due Process Clause of the Fifth Amendment.”); Gen. Elec. Co. v. EPA, 53 F.3d 1324, 1328-29 (D.C. Cir. 1995) (“In the absence of notice–for example, where the regulation is not sufficiently clear to warn a party about what is expected of it–an agency may
not deprive a party of property by imposing civil or criminal liability.”). Hotels and Resorts uses these precepts to argue that the FTC must issue regulations–or else an FTC unfairness claim must be dismissed.
But the Court is unpersuaded that regulations are the only means of providing sufficient fair notice. Indeed, Section 5 codifies a three-part test that proscribes whether an act is “unfair.” See 15 U.S.C. § 45(n). And, notably, Hotels and Resorts’ only response to the FTC’s analogy to tort liability–where liability is routinely found for unreasonable conduct without the need for particularized prohibitions–is the following: “While the negligence standard has long been a cornerstone of tort law, no Article III court has ever–not once–articulated the data-security standards that Section 5 of the FTC Act supposedly imposes on regulated parties.” (HR’s Reply to Jnt. Supp. Br. at 5). The Court is not persuaded by this argument that essentially amounts to: since no court has, no court can–especially since Hotels and Resorts itself recognizes how “quickly” the digital age and data-security world is moving. (See 11/7/13 Tr. at 25:12-14).
The court in the Wyndham case, clearly held that the “Reasonable Precautions” standard gave adequate notice:
The Court declines to do so. See FTC v. R.F. Keppel & Bro., 291 U.S. 304, 310 n.1 (1934) (“It is believed that the term `unfair competition’ has a legal significance which can be enforced by the commission and the courts, and that it is no more difficult to determine what is unfair competition than it is to determine what is a reasonable rate or what is an unjust discrimination.”); Voegele, 625 F.2d at 1077-78 (affirming that the disputed language in an OSHA regulation implied “an objective standard[,] the reasonably prudent person test,” which is not unconstitutionally vague).
Indeed, “the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141-42 (1976) (emphasis added) (internal quotation marks omitted), superseded by statute on other grounds, Pregnancy Discrimination Act, 42 U.S.C. § 2000e-(k). Hotels and Resorts’ argument that consent orders do not carry the force of law, therefore, misses the mark.
Finally, the Court is not convinced that this outcome affirms Section 5’s vagueness such that “FTC data-security actions . . . would be exempted from Rule 12(b)(6) scrutiny,” as Hotels and Resorts contends. (See HR’s Reply Br. at 8). This position ignores that, in addition to various sources of guidance for measuring reasonableness, a statutorily-defined standard exists for asserting an unfairness claim. See 15 U.S.C. § 45(n). Moreover, the Court must consider the untenable consequence of accepting Hotels and Resorts’ proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions–a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.
The FTC, and the court in the Wyndham case, told everyone they could find out what they need to know about what to do and what not do in cybersecurity, by following how the FTC enforces the rules. They seemed to say you will be able to ascertain the standard of care for protecting customers’ sensitive private information the same way you can determine what is, and is not, negligence in tort law: through the fact patterns and the holdings in the case law. It might be a good idea to take them at their word and follow along. That is what we will do in subsequent posts, and it should be informative.
Go raibh maith agat.