Questions of Authority – who will be the federal regulatory cop on the privacy beat?  FTC?   FCC?  Privacy, Data Security Jurisdiction Questions to the Forefront in 2015

As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.

Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm.    The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices.  Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device.  Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint.  The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case.

Another area to watch in 2015 is the jurisdictional implications for FTC authority over online privacy arising from the Federal Communications Commission’s (FCC) ongoing consideration in its net neutrality proceeding of whether to reclassify broadband Internet access service as a common carrier service.  The FTC has used its Section 5 authority to challenge as “unfair or deceptive” online service providers’ failures to adhere to the statements and practices set forth in their privacy policies.  Broadband and online providers also have been subject to enforcement actions, even in the absence of any material misrepresentation regarding privacy practices, for failure to reasonably safeguard the privacy or security of consumer data.  As FTC officials have pointed out, however, common carrier services – like telecommunications services – are exempt from the FTC’s Section 5 authority.  If the FCC does reclassify broadband Internet service as a common carrier offering, the FTC’s oversight authority over broadband privacy and data security practices could be jeopardized or curtailed.  As if to signal the potential impact of reclassification on broadband oversight, the FTC in late October brought an enforcement action under Section 5 against AT&T for “throttling” data throughput rates for certain customers who had signed up for unlimited data plans.

Not to be outdone, the FCC contemporaneously issued a Notice of Apparent Liability proposing a forfeiture of $10 million dollars against two telecommunications providers – TerraCom, Inc. and YourTel America, Inc. – for their alleged failure to protect the confidentiality of consumers’ proprietary information.  The enforcement action was viewed as controversial, as the Commission for the first time expanded the definition of “proprietary information” – which telecommunications carriers are required to keep confidential – to include customers’ personally identifiable information.  Commissioners Ajit Pai and Michael O’Rielly both dissented, arguing that Title II of the Communications Act does not create an affirmative legal obligation to protect personally identifiable information or to notify customers of a data breach, nor has the Commission ever interpreted the Communications Act to impose an enforceable duty on carriers to employ reasonable data practices.

These developments suggest that 2015 could be an active year in terms of defining and clarifying the scope of Federal agency authority over privacy and data security matters.