Where a zealous regulator has a great deal of power, but no published standards or accountability to legislatures or courts, and appears to exercise limited discretion in applying a single, onerous penalty on all entities it regulates, your object as a regulated entity might well be to escape the notice of the regulator.  At the time of this writing, that is the situation faced by franchisors whose privacy and information security practices are regulated by the Federal Trade Commission (FTC).

In the Aaron’s and Wyndham cases, the FTC made it clear that franchisors are in its crosshairs, but the FTC was shooting from opposite directions in the two cases.  Aaron’s[1] is fundamentally about holding the franchisor responsible for software installed by franchisees, and the FTC forges the link in ways that should give franchisors pause, i.e., through the communication and IT support platforms provided to franchisees.  For example, factors considered by the FTC included the following common “mistakes”:  The franchisor allowed franchisees to access software designer’s website (without which they couldn’t activate software), the franchisor’s server was used to transmit and store emails containing content obtained with the software, and the franchisor provided franchisees with tech support for the software.

In Wyndham,[2] on the other hand, the fundamental issue is whether the franchisor has exerted enough control, in a multitude of areas of information security, over the franchisees to establish an information security program that the FTC deems “reasonable.”  Aaron’s mistake of commission (and vicarious liability) was a piece of privacy-invasive software; Wyndham’s mistakes of omission were all the things it did not do to create a comprehensive information security program in the FTC’s eyes, as evidenced by its three security breaches in two years (not a large number for a large hospitality chain).  Both cases were built on both of the fundamental areas of authority claimed by the FTC over privacy and information security:  the relatively uncontroversial “deception” authority to enforce privacy and security “promises” in privacy policies, and the more controversial “unfairness” authority to enforce “reasonable security.” Unfairness authority lies at the heart of Wyndham, however, and when Wyndham became the first entity to challenge that authority in court, the FTC received its first judicial affirmation of both its unfairness authority and its ability to enforce that authority without published standards.[3]

Why would an agency trying to raise standards for the security of personal information avoid giving notice of its standards?  Federal Trade Commissioner Maureen Ohlhausen recently offered remarks[4] that clarify just how important this strategy is to the FTC.  In short, her argument is that given widespread innovation and the rate of change in technology, the information regulators need to gather in order to promulgate regulations is so widely dispersed and ephemeral that notice-and-comment rulemaking is stale by the time it is promulgated and carves regulatory categories unfit for their purposes.  Her solution is the FTC’s Section 5 “unfairness” jurisdiction, which gathers information only from the parties and makes judgments on those specific facts, calling it “ex post regulation.” She notes that while the results only bind the parties, others can and should look to the results as evidence of how the FTC would regard similar facts, and that “when the FTC weighs that precedent in future cases, it can then consider any changes in the underlying facts.”

If you are trying to run a business, you might find ex post regulation an elegant solution for the regulator but at least worrisome in that the rules regarding your facts are not known in advance.  Those who know the FTC’s settlement agreements – almost always involving 20 years of monitoring – find it more troubling.  Perhaps most troubling is the knowledge that the consent orders obtained generally involved no admission of wrongdoing, and represent practical business decisions by enterprises wishing to avoid years of ruinous litigation and damage to their reputations, rather than judgments of courts on the merits.

Commissioner Ohlhausen is well aware of the amount of power ex post regulation gives the FTC, and perhaps for that reason starts her speech with “Principle 1: Regulatory Humility.”[5]  Professors Solove and Hartzog made the case, in a very thoughtful and influential article written before her remarks and somewhat inconsistent with them, that the FTC has exercised, if not humility, then at least restraint in the actions it has brought, providing justification for current trend of viewing FTC privacy and information security consent orders under its Section 5 unfairness and deception authorities as development of a “common law.”[6]

The FTC’s actions may not have lived up to the justification that Professors Solove and Hartzog have developed for them, nor to the principle of humility.  For example, when an administrative law judge recently ordered the FTC to disclose its “unfairness” information security standards in the LabMD case,[7] the FTC did not claim that the security provisions mentioned in its more than fifty information security cases constitute precedent; it generally confirmed that every judgment is case-specific.[8]   By the same token, the FTC does not ask its experts in the cases it brings to review its settlement agreements; rather it asks only for–and then relies on–a case-specific judgment based on the expert’s (mostly technical) security expertise; that is ex post information security regulation in action.[9]

The LabMD case is a very important one in that there the FTC is applying its ex post standards not to an entity the information security obligations of which are uncertain, but to an entity whose obligations regarding consumer information security are covered by one of the most detailed regulatory structures in the country, the rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Moreover, HIPAA security standards – particularly as they apply to small health care providers like LabMD — are by Congressional design and regulation lower than FTC standards,[10] so the imposition of higher standards frustrates Congressional and HHS choices.  Thus if the FTC can apply its Section 5 authority to LabMD, it can arguably apply that authority to any entity in commerce, regulated or not.

The US health care marketplace resembles the franchise economy in consisting of dispersed networks of large and small entities, the smaller of which have limited resources for information security.  The 1996 HIPAA statute therefore stated that in promulgating information security regulations, the Secretary must take into account “the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary),”[11] and the preamble to the HIPAA Security Rule states accordingly that one of the foundations of the rule is that “it should be scalable, so that it can be effectively implemented by covered entities of all types and sizes.”[12]

This principle of scalability is not only a HIPAA requirement; it is basic to pragmatic information security; a small entity can only do what it can do, so it needs applications that take care of the security issue as much as possible, by default.  If a small entity takes on a big risk (e.g., a large data file), it cannot do so with the same IT staffing of a large entity, so it needs guidance to outsource, e.g. to a secure cloud provider, not guidance to use tools that–even if it could identify them–it would never properly deploy and integrate and effectively use.

FTC Chair Edith Ramirez expresses the starkly contrasting position of the FTC:

The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.[13]

Her statement is quite accurate: The FTC’s standards vary only by the risk associated with the information and the cost of “tools,” not including the availability of knowledge of those tools and not including – and this is critical in the information security area – the cost of implementing and integrating those tools, and the cost of taking action in response to the complex signals of many detection tools, which in fact require large IT staffs not feasible for small entities.  The FTC thus has neither a mandate nor a mission to consider the regulated entity and the feasibility of compliance, scalability, the availability of knowledge of which tools are the best, and the ability to integrate technical tools rather than just buying something off the shelf.

Judge William Duffey of the Northern District of Georgia got a look at this case before deciding that the federal courts have no jurisdiction to do anything about it yet, and offered a lot of advice in open court that underscore the big question of whether the FTC, now apparently “clothed with immense power” by the Wyndham decision, can exercise responsible discretion or Commissioner Ohlhausen’s first principle of “humility” (including whether federal courts can help with those lessons after the FTC”s administrative process is complete).  He said:

I think it’s the responsibility of the government to be fundamentally fair to the people that it’s regulating, and that it would be in your interest and I would hope your motivation as an employee of the government…. [H]ow does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.[14]

Remarking at the notion that a small laboratory about to go out of business should be subject to the 20 years of monitoring that is a universal feature of the FTC’s consent decrees, he suggested that the FTC consider:

a good faith, transparent, authentic discussion about what your concerns are, and trying to get those allayed by some process which would not be a twenty-year monitoring. You know, I have defended people that had twenty-year monitoring responsibilities by an agency, big companies, and it’s very, very expensive, and it’s really intrusive, and in my personal opinion, having been on both sides, they generally are not necessary. But there is never a middle ground. There should be.[15]

For now, however, there is no middle ground.  A franchisor has no option but to act on some difficult decisions.