Does the FTC Have Authority Over Data Security?
Over the last fifteen years, the Federal Trade Commission (FTC) has taken on the role of enforcing privacy and data security. See Daniel J. Solove, One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham, TeachPrivacy, Apr. 15, 2014. The agency’s approach to regulation has been to file complaints and enter into settlements, a process considered to be a rite of passage for technology companies.[1] However, one company chose to fight back. See Farhad Manjoo, Another Tech Company Finds the F.T.C. Looking Over Its Shoulder, N.Y. Times, May 8, 2014. When the FTC filed a complaint against Wyndham Hotels for failure to use reasonable data security to protect consumer information, the company challenged the agency’s authority to regulate data security. See David Siegel, Privacy Groups Back FTC In Wyndham Data Security Row, Law360, Nov. 13, 2014. In April, a federal district court held that the FTC does have such authority, and Wyndham immediately filed an appeal in the Third Circuit. id.
The FTC’s authority to regulate data security arises out of Section 5 of the FTC Act, which allows the agency to regulate “unfair or deceptive acts or practices in or affecting commerce.” See 15 U.S.C. § 45. The FTC asserts that inadequate data security is deceptive because it contradicts what companies promise in privacy policies, and is unfair because it creates harm for consumers, according to Solove.
The recent litigation has opened a debate about data security and the agency’s reach. Privacy groups are outspoken in support of the agency’s efforts and filed amicus briefs in the pending appeal, explained Siegel. However, this summer the House Oversight Committee conducted a hearing on the FTC’s authority. See Jedidiah Bracy, House Oversight Investigates, Questions FTC Authority; LabMD Case on Hold, IAPP, Jul. 25, 2014. Critics are concerned that the FTC has overstepped its boundaries, something the agency has done before. See Brian Fung, The FTC Was Built 100 Years Ago to Fight Monopolists. Now, It’s Washington’s Most Powerful Technology Cop., Wash. Post, Sept. 25, 2014.
One concern is that “unfair practice” has become too expansive. See id. Section 5 does not specifically include data security and the agency has been accused of using its authority to pursue erroneous inquiries. See Patricia Bailin, The FTC Refutes Wyndham’s Challenge; Unreasonable Security Is “Unfair”, IAPP, Nov. 13, 2014. However, Bailin explained, the FTC argues that Congress intended the FTC Act to be broad and flexible so the agency could apply its authority to evolving situations. The FTC is shifting to regulating technology because that is where the bulk of consumer issues currently reside, further explained Fung.
Another issue is whether the FTC can enforce data security without publishing a set of best practices, according to Bracy. Due process requires that entities receive fair notice of what is expected of them by the law. However, privacy advocates argue that technology and data security are constantly changing. Instead of issuing specific rules, companies can be guided by the problematic security standards outlined in FTC complaints and consent orders, explained Solove. Over time, the cases will act like a set of rules much like the common law. See id. To date, the FTC has prosecuted nearly sixty data security cases, noted Fung.
Data breaches have become commonplace and the FTC plays a critical role in consumer data protection, explained Solove and Hartzog Without comprehensive data security legislation from Congress, the only recourse is through the FTC’s Section 5 authority. See Brent Kendall, Judge Backs FTC’s Authority in Data-Breach Case: Ruling Rejects Hotelier Wyndham’s Claim That Agency Lacks Power Over Cybersecurity Practices, Wall St. J., Apr. 7, 2014. The pending Wyndham appeal, and other future litigation, will have important implications for data security. But for now, the agency continues its enforcement. This week a federal court ordered two debt brokers to notify more than 70,000 people that they may be at risk for identity theft. See Natasha Singer, U.S. Cracks Down on Debt Brokers Who Exposed Consumers’ Financial Details, N.Y. Times, Nov. 12, 2014. The orders were requested by the FTC who filed complaints against the companies for posting consumer debt portfolios with unencrypted personal information online.
