The continued occurrence of serious data breaches, including the hack of Sony Pictures that resulted in the canceled theatrical release of The Interview, a satirical film about North Korean leader Kim Jong-un, and the Target data theft impacting up to 110 million consumers and several financial institutions, has put a spotlight on issues of cybersecurity and the protection of sensitive personal information. With public pressure mounting due to this growing threat, Congress is considering legislative action to bolster American businesses’ resilience to cybersecurity attacks and data theft.1 But while the political process on Capitol Hill unfolds, other branches of the federal government have not remained idle. In the executive branch, the Federal Trade Commission (FTC) has stepped up its consumer protection enforcement activity in this area and has pursued actions against companies that the agency deems do not sufficiently protect personal data.
Overview of the FTC’s Cybersecurity Enforcement Authority and Actions
While the FTC has brought more than 50 enforcement proceedings in the past 15 years relating to data security, the pace of FTC activity has picked up in recent years.2 The bulk of the agency’s enforcement has been carried out through administrative actions, which in almost all instances3 have been resolved through consent orders that impose data security measures and long-term supervision by the FTC. The remaining dozen or so cases brought by the FTC have been filed in federal courts pursuant to the agency’s injunctive authority under section 13(b) of the Federal Trade Commission Act (FTC Act). As discussed further below, the FTC has brought such an enforcement action against the Wyndham hotel group, a case pending at the Third Circuit which is expected to address the reach of the FTC’s authority in this area. As with administrative actions, the overwhelming majority of these cases settle shortly after filing. For companies under investigation, early settlement may be driven by, among other considerations, a desire to avoid protracted litigation with a federal agency. Administrative and judicial proceedings involve intrusive and costly discovery4 and can take years to resolve.5
The FTC’s enforcement authority derives principally from the FTC Act.6 Under section 5(a) of the FTC Act, the FTC may take action against “unfair or deceptive acts or practices in or affecting commerce.” Historically, the agency has leveraged the FTC Act’s “deception” prong to challenge allegedly false data security representations made by companies. Up until 2014, all but one cybersecurity civil action brought by the FTC and more than half of FTC data security administrative actions invoked the deception prong.7 More recently, the FTC has challenged cybersecurity practices under the “unfairness” prong of section 5 of the FTC Act. In these enforcement actions, the FTC has developed minimum cybersecurity standards for companies that collect personal information, even in the absence of any allegedly false representations concerning data security
Many data security vulnerabilities have drawn the agency’s attention as being “unfair” to consumers, including companies’ alleged failure to:
- set up robust log-in protocols;8
- protect against “commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information;”9
- encrypt data;10 and
- provide cybersecurity training.11
Through its consent decrees, the FTC has detailed the various steps that companies must implement to remedy these deficiencies. The typical consent orders, which usually last for 20 years, prohibit prospective misrepresentations concerning data security and prescribe affirmative security measures. A central requirement is the establishment of a comprehensive information security program with administrative, technical, and physical safeguards suitable for the company and the type of protected data. Further, the consent orders usually require independent risk assessments from information technology and security professionals, as well as periodic reporting of the findings to the FTC. Companies must also document their compliance efforts and report material changes affecting their obligations to the agency.
FTC v. Wyndham Worldwide Corp.
There has been little judicial scrutiny of the FTC’s exercise of its section 5 power in the cybersecurity space. A notable exception is FTC v. Wyndham Worldwide Corp.,12 a case which may at last provide much-needed clarification about the scope of the FTC’s authority to impose cybersecurity standards in the absence of substantive statutes or regulations on the subject.
In June 2012, the FTC sued Wyndham, alleging that it failed to maintain “reasonable and appropriate” data security measures. The failure purportedly allowed hackers to gain access to its computer networks, which resulted in the compromise of more than 500,000 payment card accounts and fraudulent charges on hotel guests’ accounts. Because Wyndham allegedly misrepresented that it had implemented reasonable data protection measures on its website, the agency claimed that Wyndham had engaged in deceptive practices under section 5 of the FTC Act. However, the FTC did not stop there. It also claimed that Wyndham violated the unfairness prong of section 5 by failing to implement “reasonable and appropriate” data protection measures in the first place.
In seeking dismissal of the unfairness claim, Wyndham contended that section 5’s unfairness prong did not confer the FTC with rulemaking authority over data security. A New Jersey federal judge rejected that argument in April 2014, given section 5’s broad language and the absence of any statutory command carving out cybersecurity from the FTC’s purview. But because of the novelty and importance of the issue, the judge certified the question for immediate appeal to the Third Circuit. On appeal, Wyndham argued that a business’s failure to take “reasonable and appropriate” cybersecurity measures was not an unfair practice under section 5, as it was not an attempt to take advantage of customers; rather, a cyber-attack harmed the company. Wyndham also faulted the FTC for failing to adequately specify what were “reasonable and appropriate” cybersecurity practices. During oral argument on March 3, 2015, the Third Circuit panel questioned whether the unfairness prong covered nonfraudulent negligent cybersecurity conduct and whether the FTC could directly bring an action in court without first issuing cybersecurity rules through rulemaking or adjudication. The court heard oral arguments on the latter issue on March 27, 2015.
The upcoming ruling by the Third Circuit will likely provide greater clarification about the scope of the FTC’s unfairness authority over cybersecurity practices.
Parallel and Follow-On Litigation
To date, the FTC’s enforcement actions in the cybersecurity arena have not led to a wave of private follow-on litigation. One possible explanation is that the FTC Act, unlike the federal antitrust statutes enforced by the FTC, does not confer a private right of action. Enforcement targets must nevertheless be vigilant. Even if not subject to private litigation under the FTC Act, cybersecurity practices that the FTC deems unfair or deceptive can also lead to private follow-on class action litigation by consumers and other affected parties under state laws, such as consumer protection statutes or specific state data security statutes.13
The CBR Systems controversy is one such example of parallel FTC enforcement and private consumer litigation. CBR is a California-based company that stores stem cells from umbilical cord blood and tissue. In December 2010, a thief broke into a CBR employee’s car and stole a backpack containing a company laptop computer and other electronic storage devices that allegedly held unencrypted personal information on about 300,000 CBR clients, including their names, addresses, social security numbers, medical history, and payment details. The FTC opened an investigation and ultimately filed an administrative complaint in January 2013, asserting that CBR had engaged in deceptive practices by failing to protect its customers’ personal data. Shortly after, CBR entered into a 20-year consent order in which it agreed to establish and maintain a comprehensive information security program, be subject to monitoring from an independent auditor, and report periodically to the FTC about its cybersecurity efforts.14 But the FTC consent order did not end CBR’s travails. In January 2012, clients of CBR filed a putative class action under California privacy and unfair competition law. The case settled in February 2013, with CBR agreeing to reimburse affected clients for identity theft-related losses, pay for class members’ two-year subscription to a credit monitoring program, and pay $600,000 in attorneys’ fees. The full value of the class settlement was estimated at $112 million.15
Companies must also watch out for parallel litigation by state attorneys general. Snapchat’s case is illustrative. Snapchat’s mobile messaging application allows users to send photo and video messages (termed “snaps”) that the company claims disappear very shortly after being sent. Despite the claimed “ephemeral” nature of the snaps, recipients were able to use third-party tools to save the snaps indefinitely. In May 2014, the FTC filed a complaint against Snapchat, alleging that the company made false representations about the disappearance of the snaps, the collection of users’ personal data, and the robustness of its data security. Based on these allegations, the FTC asserted that Snapchat had engaged in deceptive practices under section 5 of the FTC Act. In May 2014, Snapchat agreed to settle with the FTC. The consent order prohibited misrepresentations about the company’s data privacy and security, required Snapchat to establish a comprehensive privacy program, and imposed independent monitoring and reporting obligations for 20 years.16 While the FTC enforcement action was pending, the Maryland attorney general advanced similar allegations against Snapchat and claimed violations of Maryland consumer protection law and COPPA. Snapchat agreed to pay $100,000 and take corrective measures in a June 2014 settlement with Maryland.
Finally, FTC investigations and enforcement proceedings may expose companies to follow-on litigation beyond the consumer protection context. For example, as a result of the FTC’s enforcement action against Wyndham, the company was hit with a shareholder derivative suit which alleged that Wyndham’s directors and officers failed to implement adequate data-security measures and timely disclose the data breaches.17 Although the lawsuit was ultimately dismissed at the pleading stage, the case shows the potential spillover effect of FTC enforcement proceedings. A comprehensive defense strategy should include close coordination between data protection and securities counsel.
Cybersecurity law enforcement is growing. While legislative momentum is building toward formulating federal data security standards, the FTC has continued to use its enforcement authority over unfair and deceptive trade practices to bring cases against companies with allegedly substandard data security practices. Critics point out that the agency does not have any regulatory authority over data security and that the general principles contained in its various consent orders do not provide sufficient
guidance to the industry. The Third Circuit is expected to develop the law in this area in the coming months, but it undoubtedly will not be the final word. In the meantime, companies are well advised to bolster their cybersecurity practices and get ahead of any issues that could subject them to the full panoply of FTC enforcement action followed by state regulatory or private class action litigation.