9/3/15
The FTC’s Unfairness Doctrine as Applied to Privacy Policies and Data Breaches Nicole E. Kopinski
Illinois State Bar Association
Intellectual Property Section
1
Context: Data Breaches •  Collec>on and storage of sensi>ve consumer informa>on. •  Risk of inadequate data security prac>ces –  Consumers exposed to financial harm, including iden>ty theI and credit card fraud. •  Recent massive data breaches include: – 
See hKps://www.privacyrights.org/data-­‐breach (providing chronology of data breaches). 2
1
9/3/15
FTC v. Wyndham 2015 U.S. App. LEXIS 14839, No. 14-­‐3514 (3rd Cir. Aug. 24, 2015). ISSUE: Whether the Federal Trade Commission (FTC) has authority under Sec>on 5 of the FTC Act to bring an enforcement ac>on against a company whose failure to protect sensi>ve data resulted in financial harm to consumers. 3
FTC v. Wyndham 2015 U.S. App. LEXIS 14839, No. 14-­‐3514 (3rd Cir. Aug. 24, 2015). •  First confirma>on by a higher court that the FTC has the broad authority to regulate cybersecurity that it claims. –  The Third Circuit ruled that the FTC can enforce data security standards. –  Affirmed the District Court of New Jersey’s denial of Wyndham’s mo>on to dismiss. 4
2
9/3/15
FTC Act § 5 (15 U.S.C. 45) Sec>on 5 of the FTC Act prohibits ‘‘unfair or decep>ve acts or prac>ces in or affec>ng commerce.’’ • An act or prac>ce is unfair where: –  It causes or is likely to cause substan>al injury to consumers, –  It cannot be reasonably avoided by consumers, and –  It is not outweighed by countervailing benefits to consumers or to compe>>on. • An act or prac>ce is decep>ve where: –  A representa>on, omission, or prac>ce misleads or is likely to –  mislead the consumer; –  A consumer’s interpreta>on of the representa>on, omission, or prac>ce is considered reasonable under the circumstances; and –  The misleading representa>on, omission, or prac>ce is material. 5
Case Background •  2008 & 2009: Hackers access customer informa>on from the global hotel company, Wyndham. •  2012: The FTC sued Wyndham for failing to adequately safeguard its computer network. –  The FTC charged Wyndham with viola>ng both the decep>on and unfairness provisions in the FTC Act. –  Wyndham’s responded that the FTC lacks authority to regulate and supervise cybersecurity prac>ces. 6
3
9/3/15
FTC Arguments The FTC alleged that: • Wyndham's data security prac>ces are decep>ve and unfair acts prohibited by § 5 of the FTC Act. • Wyndham engaged in prac>ces that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theI” including: • Failure to use readily available security measures, such as firewalls; • Storage of credit card informa>on in clear text; • Failure to implement reasonable informa>on security procedures prior to connec>ng local computer networks to corporate-­‐level networks; • Failure to address known security vulnerabili>es on servers; • Use of default user names and passwords for access to servers; • Failure to require employees to use complex user IDs and passwords to access company servers; • Failure to inventory computers to appropriately manage the network; • Failure to maintain reasonable security measures to monitor unauthorized computer access; • Failure to conduct security inves>ga>ons; and • Failure to reasonably limit third-­‐party access to company networks and computers. 7
Wyndham Arguments Wyndham moved to dismiss the FTC's suit. • Wyndham challenged the FTC's data security authority under the unfairness prong of Sec>on 5: –  Wyndham did argued that Congress seKled on “a less extensive regulatory scheme” by adop>ng targeted data security legisla>on (such as the Fair Credit Repor>ng Act, the Gramm-­‐Leach-­‐Bliley Act, the Children's Online Privacy Protec>on Act, and the Health Insurance Portability and Accountability Act). –  Wyndham argued that the FTC’s imposi>on of general data security standards under the FTC’s Sec>on 5 authority would render the scheme adopted by Congress superfluous. –  Wyndham did not argue that the text or legisla>ve history of Sec>on 5 precluded the FTC from regula>ng data security. • Wyndham argued that the FTC has disclaimed authority to regulate data security prac>ces in public statements between 1998 and 2001. See, e.g., FTC v. Brown & Williamson Tobacco. 8
4
9/3/15
District Court •  The district court rejected Wyndham's arguments and denied its mo>on to dismiss. –  Dis>nguished Brown & Williamson case: Data security legisla>on was intended "to complement—not preclude—the FTC's authority.“ –  Rejected conten>on that the FTC disclaimed authority over data security: •  The FTC did not take a “plain and resolute posi>on” that it lacked jurisdic>on to regulate a par>cular area. •  The FTC brought several unfairness ac>ons involving data security aIer making the statements in ques>on. •  There is no legal basis to conclude that because the FTC never affirma>vely declared its authority over data security, it cannot assert it. •  The district court rejected Wyndham’s argument that before bringing an unfairness ac>on under Sec>on 5, the FTC must publish rules and regula>ons. –  Such a proposi>on “would necessarily require the Court to sidestep long-­‐
standing precedent . . . that suggests precisely the opposite.” Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD , Dkt. No. 181 (D.N.J. Apr. 7, 2014).
9
Third Circuit Decision Authority •  The Third Circuit Court of Appeals determined that the FTC has authority over unfair trade prac>ces in the arena of cybersecurity. –  The Third Circuit found that the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act. –  Neither the plain meaning of “unfairness” nor congressional ac>on in the area of cybersecurity negate such authority. Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. Case: 14-3514 (3rd Cir. 2014 Aug. 24, 2015).
10
5
9/3/15
Third Circuit Decision No@ce •  The Third Circuit found that to sa>sfy due process: –  A company does not need to have “fair no>ce” of the FTC’s interpreta>on of which specific cybersecurity standards are required to avoid liability under the unfairness prong of § 45(a) –  Rather, a company only needs to have had “fair no>ce” that cybersecurity prac>ces can form the basis of an unfair prac>ce under § 45(a). •  The Third Circuit found that no>ce existed in this case. Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. Case: 14-3514 (3rd Cir. 2014 Aug. 24, 2015).
11
Third Circuit Decision Unfairness •  The Third Circuit did not find that Wyndham’s prac>ces cons>tuted unfair security measures. –  Rather, the case was remanded to the district court for a trial on the merits. –  The Third Circuit rejected the following arguments by Wyndham: •  The conduct is only unfair when it injures consumers through unscrupulous or unethical behavior. •  That a company does not treat its customers in an unfair manner when the company itself was vic>mized by criminals. •  The Third Circuit indicated that a company could be subject to an unfairness claim if: –  The company facilitated the most proximate cause of the injury and the outcome was reasonably foreseeable. •  Even if the company’s conduct was not the most proximate cause of the injury. –  Thus, the ac>ons a company takes (or fails to take), from which a cyber aKack is reasonably foreseeable, can form the basis of an FTC unfairness claim. Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. Case: 14-3514 (3rd Cir. 2014 Aug. 24, 2015).
12
6
9/3/15
Implica>ons: No>ce •  The FTC argued that Wyndham and other businesses are on no>ce of required cybersecurity prac>ces, because the FTC has filed complaints laying out prac>ces which, “taken together,” violate the prohibi>on on “unfair” business prac>ces. –  The FTC had an average of approximately 15 new complaints per month in 2014. –  At oral argument, the Third Circuit judges ques>oned whether businesses could be expected to monitor the FTC’s dockets to ensure compliance with its standards. –  The FTC replied that “any careful general counsel would be looking at what the FTC is doing,” because the FTC “has broad-­‐ranging jurisdic>on and undertakes frequent ac>ons against all manner of prac>ces and all manner of businesses.” •  The Third Circuit concluded that the FTC guidelines, complaints, and consent orders gave Wyndham no>ce of the necessary and sufficient condi>ons of an alleged § 45(a) viola>on. Marc H. Perry & Abraham J. Rein, FTC v. Wyndham: Recent Developments and Implications, IPLAW360 (Apr. 8, 2015), http://www.postschell.com/
publications/1017-ftc-v-wyndham-recent-developments-implications.
13
Implica>ons: Monitoring •  The FTC now may con>nue to assert that businesses are put on no>ce of the minimum prac>ces they must follow based on the FTC’s complaints laying out cybersecurity prac>ces that the FTC considers unfair. •  Companies may decide to invest in the process of uncovering and filling cybersecurity gaps early to prevent FTC sanc>ons later. –  Requires aKen>on to detail in monitoring the FTC’s complaints. –  Requires working with informa>on technology personnel to decide whether the company’s data security prac>ces cover the gaps about which the FTC is complaining. –  Requires outside counsel to develop a strong working knowledge of the legal and technical principals of cyber-­‐security. •  Post-­‐Wyndham, it will be important for businesses to monitor FTC guidelines, complaints, and consent decrees for guidance as to what may cons>tute unfair cybersecurity prac>ces under § 45(a). Marc H. Perry & Abraham J. Rein, FTC v. Wyndham: Recent Developments and Implications, IPLAW360 (Apr. 8, 2015), http://www.postschell.com/
publications/1017-ftc-v-wyndham-recent-developments-implications.
14
7
9/3/15
Implica>ons: Li>ga>on •  Businesses who experience data breaches may have to li>gate on mul>ple fronts. •  Wyndham had to defend itself against both a shareholder deriva>ve ac>on and the FTC ac>on. –  Wyndham’s directors supported the company as it defended its conduct and procedures before the FTC. –  The directors were required to jus>fy their fiduciary du>es to assess whether the breaches resulted from negligent or reckless conduct by Wyndham’s officers. –  This may have required Wyndham to file its own civil ac>on against its officers. 15
FTC’s Use of Consent Decrees •  Since 2002, the FTC has filed and seKled over 50 cases against private companies: –  The FTC argued that the companies compromised consumers’ security by using decep>ve or unfair (ineffec>ve) prac>ces in storing their data. •  See, e.g., Cases against TwiKer, LexisNexis, ChoicePoint, GMR Transcrip>on Services, GeneLink, Inc., Accre>ve Health, Inc., and HTC. –  These cases involved complaints that would have been adjudicated administra>vely within the commission had they not been seKled. •  See, e.g., In re: Apple Corp. (Apple iTunes Store) (approving $32.5 million seKlement with Apple). –  SeKlements involve “consent decrees” under which a company agrees to cease prac>ces the FTC deems unlawful and to take various “correc>ve measures” to prevent future harm. •  The FTC may seek civil fines in federal court for a viola>on of a consent decree. Alden Abbott, Heritage Found., The Federal Trade Commission’s Role in Online Security: Data Protector or Dictator?,
Mem. #137 on Legal Issues (Sept. 10, 2014), http://thf_media.s3.amazonaws.com/2014/pdf/LM137.pdf.
16
8
9/3/15
FTC’s Use of Consent Decrees •  Companies may be concerned that post-­‐Wyndham the FTC will have more leeway to pursue companies who are subjected to cyber breaches and to require companies to undergo third-­‐party security assessments. –  But , historically, the FTC has focused on businesses that have excep>onally insecure data security or that completely failed to establish secure systems for consumer data. –  Only Wyndham and one other company – which is currently winding down – refused to sign consent decrees with the FTC. •  Post-­‐Wyndham, companies should be sure their security is consistent with reasonable industry standards. •  If faced with an FTC ac>on, nego>a>ng a favorable seKlement may be the most pragma>c approach. Nicole Joy Liebman, Third Circuit Says FTC Can Regulate Corporate Cybersecurity Policies, NAT’L L. REV. (Sept. 1, 2015), http://www.natlawreview.com/
article/third-circuit-says-ftc-can-regulate-corporate-cybersecurity-policies#sthash.2KYZE1Dj.dpuf.
17
Addi>onal Issues •  Unfair data security prac>ces •  Extension to privacy policies and prac>ces. 18
9
9/3/15
Other Governmental Focus •  Recent public statements and other announcements by governmental regulators signal increased focus on cybersecurity preparedness. Dixie L. Johnson & Ehren K. Halse, Regulator House Calls: Cybersecurity Examinations and Audits, CORPORATE COUNSEL ((May 4, 2015), http://
www.corpcounsel.com/id=1202725394688/Regulator-House-Calls-Cybersecurity-Examinations-and-Audits#ixzz3ZI0La6d0.
19
Other Governmental Focus •  Governmental regulator audits and examina>ons concerning cybersecurity are expected to increase, par>cularly in the financial industry. • 
January 2015: U.S. Securi>es and Exchange Commission (SEC) noted the importance of assessing cybersecurity risks and preparedness, when it provided informa>on on priori>es and >ming of its 2015 examina>on program. • 
February 2015: The SEC and the Financial Industry Regulatory Authority (FINRA) each published summaries of market assessments of cybersecurity risks conducted in 2014 through broker-­‐dealer and investment adviser examina>ons. • 
February 2015: New York’s Department of Financial Services (NYDFS) is considering new rules protec>ng against “an Armageddon-­‐type” cyberaKack on U.S. financial markets; NYDFS released a “Report on Cyber Security in the Insurance Sector,” summarizing its survey results and announcing increased focus on cybersecurity in examina>ons. Dixie L. Johnson & Ehren K. Halse, Regulator House Calls: Cybersecurity Examinations and Audits, CORPORATE COUNSEL (May 4, 2015), http://
www.corpcounsel.com/id=1202725394688/Regulator-House-Calls-Cybersecurity-Examinations-and-Audits#ixzz3ZI0La6d0.
20
10