Back on July 20, the Seventh Circuit Court of Appeals decided Remijas v. Neiman Marcus, leading a chorus of pundits to declare that case changed everything when it comes to data breach cases, signaling a “new tilt towards victims.” What many commentators missed was the importance of the procedural posture in that case. Particularly important to understand was that all the appellate court had done was decide that the allegations made by the plaintiffs in their complaint were sufficient to withstand a motion to dismiss and send the case back to the trial court for further proceedings.
Only about a month later, another circuit court — this time the Third Circuit — issued a decision in another closely watched data breach case,Federal Trade Commission v. Wyndham Worldwide Corp. Again, commentators far and wide have predicted gloom and doom for those responsible for corporate data security, even suggesting that companies should immediately run out and “lawyer up.” But, once again, a closer reading of the Wyndham decision is warranted, and a trial lawyer’s perspective on what is actually left to litigate in the case may be helpful for an understanding of where data breach law actually stands in the U.S. in the wake of this long-awaited ruling.
The reality is — not much has changed. Certainly, the FTC’s self-proclaimed position as the “data breach police” was validated by the Third Circuit’s decision. But the formulation of a general standard for data security — and an understanding of whether your organization is either within or outside of the boundary lines — is no more certain now than it ever has been.
To understand, we have to first look at some background, and then examine the two rather narrow issues that were before the Third Circuit. The background is that, since the early 2000s, the FTC has been attempting to bolster its position as the nation’s general privacy authority, through a series of “privacy initiatives.” Before the ChoicePoint data breach in late 2004, most of the FTC’s enforcement actions were brought against companies that had made statements in their published website privacy policies and which the FTC (usually through company insiders) found out were less than 100 percent accurate, at least allegedly. These actions were brought under the FTC’s authority in Section 5 of the FTC Act (15 U.S.C. §45), which empowers the agency to take action against “deceptive trade practices.” Because these cases all involved one or more statements that the FTC alleged weren’t true, there wasn’t much debate about whether the FTC had authority to bring them.
Then, in the wake of the ChoicePoint breach, the FTC undertook an investigation of ChoicePoint’s data security protocols, and ultimately brought and settled an action against the company based, in part, on the agency’s allegations that the company’s alleged lax security constituted an “unfair trade practice” under Section 5. The FTC and ChoicePoint entered into a 20-year consent decree, which, among other things, included intensive, annual audits and required ChoicePoint to pay $15 million.
Over the next dozen or so years, the FTC repeated this tactic again and again. It would single out a company that had suffered a very large, very public and newsworthy data breach and which was reeling from the bad PR almost inevitably following such an incident, investigate the breach, convince the company to settle, and then file a complaint and stipulated consent order at virtually the same time. The complaint would detail the company’s alleged security failings, and the consent order would impose certain obligations, primarily in the form of audits and data security upgrades. Although the FTC never again persuaded any other company to pay the $15 million that it got ChoicePoint to pay, it nonetheless has taken the position that this series of enforcement actions — including the complaints filed (and never answered) and consent orders — is relevant in determining what cybersecurity practices a particular company should follow, even though none of the FTC’s targets has ever admitted liability and there was never any adjudication on the merits.
Criticism of these tactics — under the label of “data security regulation” — has not been absent. Some have argued that if the FTC wants to exercise regulatory authority over data security and police the reasonableness of security protocols generally, it needs to engage in a rulemaking process that would put American businesses on notice of precisely what it expects in the way of standards. But instead, the FTC has chosen to go after only a fraction of the companies suffering publicly reported data breaches (about 1 percent), one by one. Until 2012, none of the 50 or so companies the FTC singled out was ever brave enough to be the “test case” as to whether the FTC could actually establish that its security practices were “unfair trade practices” under the FTC Act.
Then in 2012, the FTC attempted its tried and true tactic on Wyndham, after it experienced a series of intrusions into its data systems, allegedly between 2008 and 2010. But instead of just going along with it, like every other company before it had done, Wyndham declined to enter into a consent order, and the FTC filed suit. Wyndham fought back and filed a motion to dismiss, on a number of grounds, including challenging the FTC’s authority to regulate data security under Section 5 of the FTC Act (particularly under the “unfairness prong”), and arguing that, even if the FTC had the authority, it had failed to provide adequate notice to Wyndham (and the world generally) of what it considered to be “unfair” when it comes to data security.
This is where it’s really important to understand how a trial court works, in order to fully appreciate what the Third Circuit did in its recent decision. The district court did what trial courts are supposed to do — it ruled on Wyndham’s motion to dismiss, refusing to dismiss the case on the grounds Wyndham argued. Then the trial court granted Wyndham permission to immediately appeal two issues — and those were the only issues before the Third Circuit. Whether Wyndham is ultimately liable for unfair trade practices under the FTC Act was not one of the issues. Likewise, whether Wyndham had inadequate security was not one of the issues. Now that the Third Circuit has ruled, those issues remain to be adjudicated in the trial court, and so they were not before the Third Circuit on appeal.
Instead, the issues before the Third Circuit were:
- Whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and,
- If so, whether Wyndham had fair notice that its specific cybersecurity practices could fall short of that provision.
In short, the Third Circuit rejected Wyndham’s argument that the FTC lacked authority to regulate cybersecurity under the unfairness prong of the FTC Act. As to this issue, although the court’s opinion answers a question (at least in the Third Circuit) that has been the subject of much debate for 10 years, it was a relatively simple question with only two possible outcomes — yes or no. Thus, the fact that the Third Circuit answered “yes” can hardly be considered “surprising,” as it was one of only two possible answers the court could have given.
The court’s answer to the second question, however, is much more nuanced than most of the throng of commentators has grasped. And the implications of the answer going forward are even more subtle. The Third Circuit did not rule that Wyndham had fair notice that its cybersecurity practices actually fell short of the requirements of the “unfairness prong” of the FTC Act. That wasn’t the question. Rather, the question was whether Wyndham had fair notice that its cybersecurity practices — as alleged in the FTC’s complaint — could fall short of the requirements of the “unfairness prong” of the FTC Act. And on that question, the court answered “yes.” Wyndham’s counsel had tried to convince the court that it should answer “no” by arguing that Wyndham was entitled to “ascertainable certainty” of the FTC’s interpretation of the “unfairness prong” — in terms of the specific cybersecurity practices the FTC believes are required. “Ascertainable certainty” is the standard required when an agency is attempting, through statutory interpretation, to fill gaps in a particular statutory scheme, or a party is challenging an agency’s interpretation of its own regulation. But the Third Circuit found “ascertainable certainty” was not the appropriate standard to be applied at this stage of the case because, according to the court, Wyndham was not challenging the FTC’s interpretation of the “unfairness prong” of the FTC Act, nor was it challenging an FTC rule or regulation.
Rather, the court found that the parties agreed that the FTC was asking the federal courts to interpret the “unfairness prong” of the FTC Act “in the first instance,” in order to decide whether the Act prohibits the conduct alleged in the FTC’s complaint – that is, Wyndham’s cybersecurity practices. With that as the issue, therefore, the court found that the case involved only ordinary judicial interpretation of a civil statute, and the “ascertainable certainty” is inapplicable. Thus, according to the court, the relevant question was not whether Wyndham had fair notice of the FTC’s interpretation of the statute but whether Wyndham had fair notice that its cybersecurity practices (as alleged) could fall within the meaning of the statute. The court then noted:
"We do not read Wyndham’s briefs as arguing the company lacked fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under § 45(a). Wyndham argued instead it lacked notice of what specific cybersecurity practices are necessary to avoid liability. We have little trouble rejecting this claim.”
The court found that — as to what notice is required as to the application of the FTC Act generally — Wyndham was entitled to a relatively low level of notice, because (1) no constitutional rights are implicated; (2) the FTC Act is a civil rather than criminal statute; and, (3) statutes regulating economic activity receive a “less strict” test because their “subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action.” Thus, applying the lower standard applicable to “ordinary judicial interpretation of the civil statute,” the court found that Wyndham had fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under Section 5 of the FTC Act.
What has been missed by many commentators, as was true with the Neiman case, is that the court’s ruling in the Wyndham case merely sends the case back to the district court for further proceedings. The Third Circuit was ruling on an appeal of the district court’s order on a motion to dismiss. In that procedural posture, the district court and the appellate court must accept all allegations of the complaint as true. But now the case goes back to the trial court, and now the allegations of the complaint must be proven by the FTC. What is still to be litigated is whether, in fact, Wyndham’s actual data security practices were “unfair” under the FTC Act. The Third Circuit, in its opinion, noted the considerable body of law recognizing the high burden required to prove “unfairness” (under 15 U.S.C. §45(n)) — the establishment of substantial, unavoidable harm to consumers, beyond mere inconvenience, and not outweighed by countervailing benefits. The court further noted, twice in its opinion, that these elements may not identify all of the requirements for an unfairness claim, and that there may be others.
To be sure, the FTC will now have to meet a very tough burden as the facts regarding Wyndham’s actual data security controls are litigated. Ultimately the court will be required to measure the efficacy of those controls, and the FTC will need to establish some sort of standard against which Wyndham’s controls can be measured. But, importantly, the Third Circuit ruled in its recent opinion that the FTC's previous complaints and consent orders provide no guidance regarding the standard to which Wyndham (or any other company) might be held accountable, as those complaints were never even answered, much less adjudicated. It also ruled that the FTC's self-published data security “guidance” likewise is inapplicable in terms of establishing a standard.
The bottom line is that this case is a long way from over, and although it is now absolutely clear — at least in the Third Circuit’s eyes — that the FTC can regulate data security, the FTC still must establish — under a high burden of proof — what data security controls it believes Wyndham necessarily should have employed, but failed to. We expect that Wyndham will likely offer significant expert testimony that its data security controls, while perhaps not perfect, were consistent with the types of controls employed by many other businesses, including others in its industry. Given the almost de facto inevitability of data breaches — established by the more than 4,600 data breaches made public since 2005, impacting every size organization in every industry imaginable — the FTC has a very tough burden to meet in this case. And unless the FTC engages in some future rule-making regarding a standard of data security that all companies should follow (which is unlikely), it will be forced to establish the same proof in all future cases, on a case-by-basis.