Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, the FTC’s body of data security consent orders – basically private settlements of uncontested and unadjudicated cases (most of which also include deception claims), where the remedies include “fencing in” that goes beyond what the law requires – are merely indications of best practices and not some sort of “common law” as some have contended. Indeed, to treat consent orders as precedential would fly in the face of Congress’ purposeful curtailment of the FTC’s rulemaking authority under Mag Moss, as compared to the APA standards applicable to other federal agencies. Finally, the decisions suggest that the application of Section 5 unfairness authority to consumer privacy, especially in the context of interest-based advertising, is limited.

The decisions are consistent with the history of Section 5. In the late 1970s, the FTC was moving to prohibit or greatly limit advertising to children, known as “kid vid,” based on its unfairness authority. There was Congressional backlash, and the end result was that the FTC’s unfairness authority was significantly curtailed statutorily. In order to prevail in an unfairness claim arising out of a data security incident, the FTC has to prove that allegedly unfair data security practices in effect during the relevant time period of a breach –

  • caused or are likely to cause substantial injury to consumers [not, e.g., to other businesses];
  • that this injury is not reasonably avoidable by consumers themselves; and
  • that this injury is not outweighed by countervailing benefits to consumers or to competition.

15 U.S.C. § 45(n)[2]. And to be considered substantial, the harm has to be a real and significant injury, arguably even with financial impact on consumers.

Of course, this is not a free pass for companies. Some companies are subject to specific statutory security standards that have penalties for noncompliance. For instance, covered entities under HIPAA still have to be concerned about failures to meet HIPAA privacy and security standards and the repercussions of such failures, and COPPA has statutory security requirements for personal information collected from children online. In addition, the FTC still has its much-used deception authority to go after companies that make inaccurate statements about data security in privacy policies or otherwise. Companies need to resist the temptation to make security assurances that could be seen as overpromising what they can in reality deliver. However, the wind has been taken out of the FTC’s sails when it comes to the use of unfairness authority to punish companies that are victims of hacking, since the threshold establishing that a company’s data security was so woefully inadequate and the resulting consumer harm so substantial as to be “unfair” is now properly being set relatively high.

Furthermore, these decisions also make it much more difficult for the FTC to try to apply unfairness authority to consumer privacy issues, as the current chairperson has advocated. See Why We Don’t Need the FTC on Big Data Lifeguard Duty. For instance, consider cross-device data tracking for interest-based advertising targeting, a practice recently examined by the FTC in a November 16 workshop. What actual, much less substantial, harm do consumers suffer because their online activities are tracked to build profiles that allow more relevant ads to be delivered to them? And the benefits to both consumers and competition are compelling – consumers get more relevant ads, publishers are able to afford to make great content available to consumers for free because they can charge advertisers more for the ads, and advertisers are able to more efficiently use their marketing budgets and track ROI.

For additional information on data privacy and security issues, including the scope of FTC regulatory authority, contact the authors.

The Wyndham case settled after the Third Circuit’s decision. See our analysis of the settlement and associated consent order here. Wyndham and certain of its affiliates are clients of BakerHostetler. BakerHostetler has not represented Wyndham in connection with the data security incidents referenced in the FTC’s complaint, or in the proceedings brought by the FTC.

The FTC has appealed the LabMD decision.