Section 5 of the Federal Trade Commission Act provides a powerful tool for the federal government to regulate companies’ data-security practices. Rather than adopt specific data-security standards, the FTC often uses Section 5’s flexible and open-ended concepts of unfairness and deception to bring enforcement actions against companies for data-security failures.
The FTC treats these enforcement actions as a form of “common law” that tells other companies what data-security practices Section 5 requires.
While it gives the FTC broad authority, Section 5 lacks a private right of action. Does this absence preclude a plaintiff in a data-breach lawsuit from nonetheless relying on the data-security “common law” developed by the FTC under Section 5?
A recent decision from a federal court in the state of Washington explored this question. This post studies two aspects of that decision, named Veridian Credit Union v. Eddie Bauer:
- Can the failure to employ data-security measures that the FTC says are required by Section 5 be treated as evidence of a defendant’s negligence?
- Can a plaintiff assert an unfairness claim for treble damages under a state’s “Little FTC Act” based on a defendant’s failure to employ FTC-mandated data security measures?
A Cyberattack Compromises Point of Sale Systems
Veridian arose from a cyberattack on Eddie Bauer’s in-store point-of-sale systems. The attack compromised customers’ credit- and debit-card information.
Veridian—a credit union whose cardholders shopped at affected stores and had their information stolen—sued Eddie Bauer for failing to prevent the breach. Eddie Bauer’s lax data security practices, Veridian alleged, caused it damages including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.
Veridian’s complaint asserted a common-law negligence claim. For the “duty” element of that claim, Veridian alleged that Section 5 required Eddie Bauer to use reasonable data-security measures. To that end, Veridian pointed to orders issued by the FTC against other companies for failing to secure payment-card data, and to the informal guidance contained in the FTC publication “Protecting Personal Information: A Guide for Business.”
Veridian also asserted a claim under Washington’s Consumer Protection Act (“CPA”). That statute, like Section 5, broadly prohibits unfair or deceptive acts and practices. It also allows courts to award treble damages to private plaintiffs. According to Veridian, Eddie Bauer’s failure to employ security measures that the FTC has said are required by Section 5 was also an “unfair” practice under the CPA.
Blaming the Victim?
Eddie Bauer moved to dismiss the claims.
As to the negligence claim, Eddie Bauer argued that it owed Veridian no duty to secure its customers’ payment-card data. Section 5 could not be the source of any such duty, Eddie Bauer contended, because Congress didn’t intend for the statute to protect parties in Veridian’s position.
As for Veridian’s CPA claim, Eddie Bauer observed that “unfairness” requires a showing that a defendant’s conduct was “likely to cause substantial harm” that consumers could not reasonably avoid. The company then argued that being victimized by cyberattack did not satisfy this test, for two reasons:
1. the consumers suffered harm owing to the theft of payment-card information, not any failure by Eddie Bauer to properly secure that information; and
2. the consumers could avoid any risks posed by the company’s data-security practices by paying with cash instead of credit cards.
The Court’s Decision
The court denied Eddie Bauer’s motion as to both claims.
The court agreed with Eddie Bauer that Veridian’s common-law negligence claim could not rest on a violation of Section 5. Under Washington law, the violation of a statute can be evidence of negligence—but only if the statute was intended to protect a class of persons that includes the plaintiff. In this case, Congress enacted Section 5 to protect a business’s consumers and competitors from unfair trade practices. Veridian was neither.
Despite this conclusion, the court allowed Veridian’s negligence claim to proceed. The reason? A different Washington state statute supplied the requisite duty. That statute requires a business to reimburse financial institutions for the cost to reissue payment cards if the business has failed to use reasonable care, and that failure causes a breach.
As to the CPA claim, the court rejected Eddie Bauer’s argument that being victimized by a data breach was not an “unfair” practice because the real harm to consumers flows from the acts of a malicious third party.
The court first observed that the Washington legislature modeled the CPA on Section 5 and specifically intended the CPA to be interpreted in light of FTC orders. Pointing to the FTC’s data-security cases against LabMD and Wyndham Hotels, Veridian had shown that the FTC had concluded that failing to properly secure payment-card data could be an unfair practice.
For this reason, Eddie Bauer should have foreseen that failing to secure payment-card data could substantially injure consumers. The fact that the attackers also caused the injury was immaterial: under Section 5 (and thus the CPA), an unfair practice need not be the only cause of the harm.
The court also had sharp words for Eddie Bauer’s “the consumers could have used cash” argument. As the court pointed out, the use of credit and debit cards is “ubiquitous” in all types of commerce. And when deciding how to pay, customers would have no way of knowing that Eddie Bauer’s payment-card security measures were deficient. Because of these points, the court characterized the argument as “disingenuous.”
Avoiding Liability: Keep An Eye on the FTC
Veridian suggests that the FTC’s aggressive use of its unfairness authority under Section 5 to regulate data security may have another unexpected consequence for companies. Private plaintiffs—including in business-to-business data-breach lawsuits—can look to the FTC’s enforcement actions to establish a claim under state laws that regulate unfair and deceptive trade practices.
The prospect of treble damages under these laws gives companies another reason to stay current on the FTC’s developing body of data security “common law.”