The FTC, Cybersecurity & "Reasonableness"

The Federal Trade Commission (FTC) continues to pursue the regulation of internet privacy safeguards across a variety of industries, despite ongoing challenges to its authority to do so. In 2013 alone, the FTC filed suit against four companies that, while very different in lines of business , have one thing in common: they all maintain an internet presence and therefore are susceptible to unauthorized access by hackers. The FTC has accused these companies—ranging from a mobile phoneprovider to a clinical laboratory testing business—of failing to provide reasonable and appropriate data security to prevent the unauthorized access of consumers' personal information. The Commission claims these alleged failures constitute a violation of Section 5 of the Federal Trade Commission Act (Act) prohibiting "unfair or deceptive acts or practices," which is the Commission's principal legal tool for combating false and misleading advertising and deceptive trade practices.

The most notable case involving these same accusations—the case that could prevent the FTC from bringing similar actions in the future—is a 2012 FTC action against Wyndham Worldwide Corporation. The Commissionalleges that the hotel chain failed to maintain reasonable security safeguards, allowing unauthorized access to Wyndham computer networks resulting in more than $10.6 million in fraudulent charges on consumers' accounts. This case is important because instead of settling with the FTC, Wyndham decided to fight. Wyndham moved to dismiss the complaint, claiming that Section 5 of the Act, enacted in 1914, does not give the FTC the authority to determine whether any given company's data security protections are reasonable. Not only does the FTC lack the authority, Wyndham argues, the Commission also has not articulated what constitutes "reasonable" security safeguards. How, the argument goes, could the FTC tell companies across myriad sectors that their security practices are unreasonable if nobody has articulated what security standards are reasonable?

The party to blame for the lack of clarity is the most likely of culprits: Congress. The current cybersecurity regulatory structure is a patchwork of specialized, industry-based federal laws. For example, healthcare providers maintaining electronic health information are governed by data security standards and regulations found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), while the Gramm-Leach-Bliley Act requires financial institutions to implement security safeguards to protect consumers' personal financial information. There is no broad, overarching federal law regulating the security of online personal information across all industries, despite repeated attempts to pass such legislation. The FTC has stepped forward to fill the vacuum, claiming to have the sweeping authority to regulate internet privacy standards and the Commission seems poised to exercise that power unless and until a federal court says otherwise. Many are anticipating that the court may curb the FTC's asserted authority in this regard.

Although highly specific data security requirements have generally been resisted on the ground that there is no "one-size-fits-all" way of protecting confidential data, additional guidance will help businesses in avoiding litigation based on broad concepts of necessary protection. Recently, pursuant to President Obama's ExecutiveOrder issued in February directing the National Institute of Standards and Technology (NIST) to work with cross-industry representatives to draft a cybersecurity framework outlining standards, best practices and guidance to help businesses manage cybersecurity risks, NIST issued a preliminarycybersecurity draft framework for public comment and discussion. While entirely voluntary, the NIST framework will help shape what practices are considered "reasonable" data security safeguards, and input from industry members is critical to its final version being reasonable in practice.  NIST anticipates releasing the final version of the framework in February 2014.

© Arnold & Porter Kaye Scholer LLP 2013 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.