The Federal Trade Commission (FTC) is the federal agency charged with protecting consumers. It enforces several statutes and rules that impose obligations on businesses to protect consumer data, including the Gramm-Leach-Bliley Act (for nonbank financial institutions), the Fair Credit Reporting Act (for consumer reporting agencies), and the Children’s Online Privacy Protection Act (for businesses that collect children’s information online).
In addition to these authorities, the main legal authority the FTC uses in the privacy and data security space is Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive” acts or practices. The FTC began applying Section 5 in 2002 to bring enforcement actions against companies whose privacy or data security practices allegedly have harmed consumers. Since then, the FTC has brought more than 50 enforcement actions under Section 5 against companies for allegedly failing to implement adequate privacy or data security safeguards. Nearly all of the actions have settled.
Initially, the FTC’s data security enforcement actions focused on “deception,” which involves making materially misleading statements or omissions. Under its authority to prosecute deceptive acts or practices, the FTC has settled 30 matters challenging businesses’ express or implied claims about the security they provide for consumers’ personal data. Within a few years, the FTC began bringing data security cases under its “unfairness” authority, which proscribes data security practices that cause or are likely to cause a substantial injury that consumers could not reasonably avoid and are not outweighed by benefits to consumers or to competition. In 2005, the FTC brought its first “unfairness” case against a retailer following a data security breach that exposed the personal information of thousands of the retailer’s customers.
The FTC’s approach to privacy and data security under its Section 5 authority has not been without controversy. According to the FTC, “reasonableness” is the touchstone under Section 5 and the other statutes it enforces for determining whether a business has violated the law. But critics complain that the FTC failed to give businesses adequate direction as to what constitutes “reasonable” privacy and data security. They say that the sparse language found in the settlements provides little guidance as to specific components of a reasonable privacy or data security program. In addition, the FTC has not conducted rule-making to outline privacy and data security practices that are required to avoid liability under Section 5.
In one of the rare enforcement actions that did not settle, an administrative judge ordered the FTC to testify about the data security standards it used to pursue LabMD Inc. LabMD was in the business of conducting clinical laboratory tests on specimen samples from consumers and reporting the results to the consumers’ health care providers. The FTC filed an enforcement action against LabMD alleging that it violated Section 5 by failing to provide “reasonable and appropriate” security measures to protect the security of consumers’ personal data. The complaint alleges that billing information for more than 9,000 consumers was found on a peer-to-peer (P2P) file sharing network, and that documents containing personal information of at least 500 consumers were found in the hands of identity thieves.
Instead of settling, LabMD filed a motion to dismiss, asserting that the FTC could not penalize it for alleged failures to provide adequate data security for consumer information because the FTC had not issued any regulations that would have given LabMD fair notice of what the standard is for “reasonable and appropriate” data security. Although the administrative court denied the motion to dismiss, the judge granted LabMD’s motion to compel testimony from the FTC regarding the data security standards it intends to use to prove that LabMD’s data security was inadequate. According to the deposition testimony of the director for the Bureau of Consumer Protection, the FTC has repeatedly communicated standards for reasonable security through settlements, guidance brochures, speeches, and congressional testimony from which companies can derive guidance for compliance.
Indeed, in a September 2014 speech, the FTC reiterated that it enforces a “flexible” standard of reasonable security that is “process-based,” rather than a checklist of specific technologies or tools for assessing and mitigating risks. According to the FTC, following this approach allows the reasonableness standard to adapt to rapid changes in both technology and security threats, covering older technologies as well as emerging technologies. The FTC has indicated that “reasonable depends on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.”
The FTC noted that its settlements and guidance have outlined reasonable security practices while emphasizing that companies need to implement these practices in a way that is appropriate for their businesses. These practices include:
- Conducting a risk assessment.
- Minimizing the collection and retention of personal information about consumers.
- Implementing technical and physical safeguards.
- Employee training.
- Having an incident response plan.
The FTC also stated that the “Framework for Improving Critical Infrastructure Cybersecurity” prepared by the National Institute of Standards and Technology (NIST Framework), the core of which is about risk assessment and mitigation, is consistent with the FTC’s enforcement framework. According to the NIST Framework, organizations of all sizes can apply its principles and best practices on risk management to improve cybersecurity. The NIST Framework references a handful of sources of industry standards related to data security.
Based on the FTC’s pronouncement, a company may reach the conclusion that it can avoid Section 5 liability if it follows industry standards set forth in the NIST Framework. But as a practical matter, companies may find it difficult to pick and choose which practices to follow. Indeed, one of the listed sources, the NIST SP 800-53, contains more than 400 pages of standards that even large companies with vast IT resources—let alone small companies with limited resources—would find challenging if not impossible to implement fully. Thus, the question remains as to how many and which industry standards will suffice as “reasonable” data security in the eyes of the FTC.
Barring congressional action on comprehensive data security legislation or formal rule-making by the FTC, it appears that the FTC will continue to assess reasonableness on a case-by-case basis. Therefore, it appears that companies will need to track the FTC’s settlements, guidance brochures, speeches, and congressional testimony in order to deduce the FTC’s expectations regarding reasonable data security in order to avoid Section 5 liability.
This article is meant to provide general information only and is not a substitute for legal advice. Readers should seek the advice of counsel or contact the authors for more information.
