July 31, 2011

From Private to Public Ordering: An Expanding Federal Role for Regulating Privacy and Data Security?

Edward A. Morse

Consumers have reason to be wary about the security of their personal information--and so do the businesses that handle that information. Recent news accounts of major security breaches highlight the reality that security efforts at even the most reputable firms sometimes fall short. Epsilon, one of the largest distributors of permission-based e-mail services in the world, experienced a breach that disclosed millions of client e-mail addresses. Sony's online gaming network also experienced the theft of names, addresses, and potential credit card numbers affecting more than 77 million user accounts. These events are not rarities, but are part of a continuing litany of security failures affecting consumer information.

Hackers and thieves aren't the only ones after personal information. Compounding consumer angst, legitimate firms also attempt to collect and use personal information for commercial purposes. Privacy policies and click-through agreements are common--but are consumers reading them? And how is one to know that these policies are followed? Targeted advertising made possible by tracking consumer information offers potential benefits for consumers and businesses alike. However, advocacy groups have been shining a light on privacy concerns, potentially enhancing consumer awareness and causing changes in business practices. Third-party services, such as TRUSTe®, have also developed to provide consumers with additional assurance.

Political responses to these threats to consumer privacy and data security are predictably leaning toward solutions that are likely to involve an expanded role for government. Elected officials at the state and federal level have called for investigations and have proposed new legislation. The White House has vetted legislative proposals involving cyber-security policies. The Federal Trade Commission has also signaled greater openness toward discretionary intervention in cases involving perceived consumer harms, and proposed legislation may expand these powers. Finally, the Federal Reserve is also getting into this business, as it seeks to promulgate regulations under the Dodd-Frank Act to address concerns in the payments industry.

All of this froth in the water suggests that businesses who handle consumer data may be facing new legal risks and burdens. Just as Sarbanes-Oxley emerged from notable cases of accounting fraud, a similar movement may be under way in the matter of privacy and data security. This article places these prospects for new government intervention into a broader context, in which private ordering and market forces have played an important role in generating additional consumer protections. Good politics and good economics don't always go together, and business lawyers and their clients will need to be vigilant to understand market and legal risks presented in this changing environment.

Private Ordering--Self-regulation

Private ordering describes a range of approaches for organizing relationships that are rooted to varying degrees in the efficacy of self-regulation, as opposed to government intervention. Most private ordering regimes operate within boundaries formed by existing laws and regulations. For example, contracting parties have considerable latitude in fashioning terms, but public legal constraints may nevertheless affect the substance of their agreement (e.g., unconscionability) or the remedy for a breach (e.g., even ADR awards may be enforced in government-sanctioned courts).

Although law still plays an important role--either casting a shadow or shining a light, depending on the metaphor you prefer--preserving space for private ordering is often desirable. Among other things, private ordering preserves flexibility and allows firms to adapt to changing conditions without many of the public political constraints that affect the dynamics of legal rulemaking. To the extent that market forces demand more or less of something, private ordering allows the parties to adjust their positions and expectations accordingly.

Private ordering has been a significant part of the emerging framework for privacy and data security. As public norms valuing privacy and security have emerged, firms have adopted business practices that are responsive to the interests of their customers. Firms that experience security breaches receive significant public attention and incur significant costs. For example, Sony Corporation has estimated that the hacking breach of its Playstation and entertainment networks may cost the company $171 million over the next year, including benefits to consumers--a powerful incentive for security. Within the payment card industry, Form 10-K disclosures routinely recognize the risk to profits associated with security breaches in the network. No one makes money if consumers or merchants are afraid to use payment cards.

Private ordering does not necessarily entail a laissez-faire approach to all relationships, as it can occur within boundaries that are otherwise formed by external rulemaking. For example, formal processes may emerge to develop common rules and a means of policing the membership of specific communities, as in the case of GAAP and GAAS in financial accounting and PCI DSS in the payment card industry. Private firms can also assist in validating compliance, perhaps auditing or assessing based on predetermined standards, such as provided by TRUSTe® in the consumer realm. Such validation provides efficiency for consumers, who recognize a seal of approval and thereby avoid burdens associated with detailed assessments.

Self-regulation can thus operate as a form of private law that delivers a framework for fair dealing. However, the benefits of this system can also extend beyond the members of the business community, also reaching third parties, including consumers. Just as investors benefit from the application of financial accounting standards, consumers can also benefit from private ordering efforts aimed at conformity to data security standards.

But these desired benefits are never perfectly achieved, as private ordering regimes must also deal with the practical realities of monitoring and enforcement. When a self-regulation regime fails in some manner, it can become politically attractive for government to intervene. For the accounting profession, massive accounting frauds triggered additional government intervention through Sarbanes-Oxley, which injected new rules and additional government oversight into financial reporting processes. A similar movement is arguably underway in privacy and data security.

An Overview of Government Intervention

Current laws and regulations governing consumer privacy and data security are neither comprehensive nor consistent. In the United States, individual states have generally led the way with legislation, with the federal government intervening later on selected matters of federal significance. The resulting patchwork of laws is not easily cognizable. Multistate businesses face challenges in deciding the applicable laws and how to comply with all of them.

State Privacy and Data Security Laws

State privacy statutes are numerous and far-reaching, covering a broad range of business and government practices affecting the privacy of citizens. Some impose specific constraints on consumer relationships, thus interfering with the private ordering regime. Others may be viewed as reinforcing the private ordering regime through ensuring disclosure of information that may be necessary for market forces to incentivize responsible behavior.

State disclosure laws exemplify provisions that are designed to mobilize market forces and thus reinforce private ordering regimes. However, they are not without problems. These provisions usually require personalized notice to each affected consumer, which entails significant transaction costs above that of a public announcement. Many consumers already engage private firms to monitor the use of their personal information, causing them to ignore these notices. Moreover, a security breach does not necessarily cause any tangible damage to the consumer. If fraud occurs, it can be difficult, if not impossible, to trace its cause to a particular disclosure of information. In the case of credit card information, the combination of protections in federal law (e.g., 15 U.S.C. § 1643(a)(1)) and from card brand policies to limit consumer liability make it unlikely that consumers will directly bear costs associated with a fraudulent credit card transaction. However, business cards may be exempt from these policies, and thus present cause for concern.

Consumers are not the only category protected by state laws addressing data security. Banks have crept in to the protected category, seeking a statutory basis for redress from merchants with lax security practices that cause card information breaches and, consequently, cause credit card issuers to incur additional costs to cancel and reissue affected cards. Legislatures in Minnesota, Nevada, and Washington have enacted provisions that allow banks to recover from merchants who fail to meet certain security targets with payment card data. While those targets are likely to be met or exceeded through obligations imposed by payment card networks through agreements with acquiring banks, this legislation shows that politics can affect a redistribution of costs among network members. Whether this ultimately benefits consumers by reinforcing merchant incentives toward security in an efficient manner is unclear. Those same merchants likely face fines and other fiscal sanctions through a private ordering regime imposed by the card network, and the ultimate bearer of costs in a network presents a difficult economic question to unravel.

The Current Federal Regime

State laws provide an opportunity to enact laws and regulations that can be implemented and tested on a smaller scale. As Justice Brandeis stated in his famous dissent in New State Ice Co. v. Liebman, 285 U.S. 282, 311 (1932), "It is one of the happy incidents of the Federal system that a single courageous state may, if its citizens choose, serve as a laboratory . . . and try novel social and economic experiments without risk to the rest of the country." Of course, Justice Brandeis' made his risk assessment without the benefit of modern transportation and communication networks, which have increased the level of interstate business contacts and potentially wide-ranging impacts of the laws of particular states. Indeed, this issue has grown to embrace new challenges of privacy and data security compliance for transactions with international dimensions. Even national laws may not effectively govern these situations, thereby reinforcing the value of private ordering regimes.

Federal laws governing privacy and data security have developed in specific areas to address significant segments of the economy and significant interests of concern to consumers, (such as education, healthcare, and financial services) but they generally have not displaced this patchwork of state laws. Congress has not yet provided comprehensive solutions to the privacy and security puzzle. The states--and private firms--are left to continue experimenting with their own approaches for addressing threats to consumer privacy and security, as well as to develop the proper balance between consumer preferences and the economic advantages of sharing information.

The Federal Trade Commission (FTC) has also played a significant role in developing federal solutions to the privacy and security puzzle. In addition to enforcing federal laws directed at consumer protection, the FTC also exercises broad authority under 15 U.S.C. § 45, which permits the agency to address "unfair or deceptive acts or practices in or affecting commerce." This broad authority has been used to influence the privacy and data security practices of firms with deficiencies in protecting consumer information, including data security breaches or firms that failed to follow private ordering solutions as reflected in their privacy policies.

Although the FTC's enforcement resources only permits attention to the most significant cases, the prospects of FTC enforcement proceedings sends a message to others in the marketplace. In this sense, less can be more: the mere threat of intervention can cause business firms to take notice and change their practices in order to avoid government intervention. Moreover, the development of settlement solutions through public consent decrees, while not rising to the level of a judicial opinion, provides a roadmap that tends to shape the compliance behavior of other firms. The case-by-case approach allows solutions to be developed that take into account the nuances of particular business contexts. An approach based on "fairness" can lead to inappropriate discretionary justice, but solutions developed through consent decrees avoid sweeping generalizations and take into account the emerging standards of best practices within the industry. To the extent rulemaking often lags behind technological change, this approach also leaves room for adaptation to new developments.

Pending Legislation and Regulation by the CFPB

Pending legislation and regulations have the potential to inject a larger federal government presence in the matter of regulating privacy and data security. The FTC is likely to play an even greater role in the design and implementation of new federal standards. And there is a new kid on the block, the Consumer Finance Protection Bureau (CFPB) created by Dodd-Frank, which also may present a formidable new source of regulations in the financial services sector.

Pending Legislation

Legislation to address consumer privacy and data security issues has been percolating through Congress, and new bills will likely be introduced while this article is being edited. One recent example is S. 799, introduced April 12, 2011, by Senator John Kerry. Styled as the "Commercial Privacy Bill of Rights Act of 2011," this bill resembles several others that died with the 111th Congress, in that it seeks to expand the FTC's role in regulating and protecting consumer privacy interests.

The bill notes the shortcomings of the current patchwork of state and federal legislation, including "inadequate" privacy protection. The bill states a legislative finding that "with the exception of FTC enforcement of laws against unfair and deceptive practices, the Federal Government has eschewed general commercial privacy laws in favor of industry self-regulation, which has led to several self-policing schemes, some of which are enforceable, and some of which provide insufficient privacy protection to individuals." Noting that additional state regulation "could lead to a patchwork of inconsistent standards and protections," the bill offers a federal solution that will displace not only state laws, but also the self-regulation model.

The bill suggests that "enhancing individual privacy protection in a balanced way that establishes clear, consistent rules, both domestically and internationally, will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad. . . ." It may be hard to disagree with the ideal of a balanced approach that provides clear and consistent rules for all to follow, but providing the content of those rules is a considerable undertaking. In this sense, the federal solution being offered is a partial one, at best.

The bill attempts to scale this difficulty by delegating authority on the particulars to the Federal Trade Commission, thereby expanding the role for the commission in this area beyond its work in enforcing the mandate to address unfair trade practices. Significantly, even the commission's rulemaking authority is limited, in that the "Commission may not require a specific technological means of meeting a requirement [to protect covered information]." Further, these regulations shall be "consistent with guidance provided by the commission and recognized industry practices for safety and security" in existence before enactment. Thus, to a considerable extent, the bill appears to "insource" what has already developed in private industry, albeit with considerably less precision and certainty than may exist in the context of private rulemaking, such as may be found in PCIDSS. By eschewing specific technologies, the bill may leave room for technical advance, but in many cases the existing technology (such as encryption) is indeed a part of industry practice. The content for these rules remains to be seen, if indeed this bill moves forward. Significantly, those already subject to federal regulation (including, for example financial services or healthcare) will be exempt from these rules.

In addition to directing the FTC to prescribe new regulations, the bill also addresses enforcement. Designing an effective means to enforce these new consumer protections is an important component of any legislative solution. On one hand, enforcement by the government potentially allows for the systemic protections afforded by government bureaucracies, which assuming proper training and experience, may exercise discretion to address significant harms. However, in an era of shrinking budget prospects, one wonders how an agency will have sufficient resources to effectively enforce these rules.

Although the Kerry bill expands the enforcement regime to include state attorneys general, it does not allow for private enforcement. However, state law claims based on fraud, or on state laws addressing health or financial information, are specifically preserved from preemption. The full extent to which other state law claims are preempted by this legislation is unclear, but in some respects this approach may actually be preferable to a regime of private enforcement through litigation. Schemes that provide for statutory damages and attorney fees have the potential to impose crippling liability that extends far beyond the benefits to consumers.

The Kerry bill also attempts to be sensitive to concerns about the size of the affected business. First, the bill technically applies only to covered entities, which are defined in part as those who handle information concerning more than 5,000 individuals during any twelve-month period. (Whether other firms will be held to similar standards through other enforcement channels remains to be seen.) The bill also requires that regulations for security measures will be "proportional to the size, type, and nature of the covered information a covered entity collects." Significantly, covered entities may not only be businesses, but may also include non-profit organizations. To the extent that churches and other religious organizations may be covered, and "religious affiliation" of an individual is designated as "sensitive information" by the bill, this may significantly expand the FTC's rulemaking and enforcement roles beyond the traditional business realm. Will the FTC knock on the church's door for maintaining a prayer list for those who are in hospital?

The Kerry bill is also significant for what it does not address. The bill leaves intact state law regimes for data security breach notification requirements. Other bills, including H.R. 1841, the Data Accountability and Trust Act of 2011 (DATA), which was introduced on May 11, 2011, would preempt state notification laws and impose a single federal standard. Many in the business community may welcome a single standard, which will clarify their compliance burdens. However, some issues still need to be resolved, including the proper latitude granted to business to evaluate whether there is any risk of harm to a consumer and the allowable period for delay between discovery and disclosure. Moreover, as noted above, whether public notice should be allowed in lieu of personal notice should also be considered in order to ensure that compliance costs don't outweigh likely consumer benefits.

The matter of online tracking and targeted advertising has also attracted legislative attention at both the federal and state level. In California, S.B. 761 (introduced March 23, 2011) would give consumers the right to opt-out of online tracking and it reinforces this right with a private remedy for damages and attorney fees. In the U.S. House of Representatives, H.R. 654 would provide a similar right, but with no private cause of action. The Kerry bill, noted above, would also provide a requirement for opt-out consent regarding use of covered information by third parties for behavioral advertising or marketing. However, no such consent is apparently required if the marketing or advertising involves the same website.

Federal legislation that preempted competing state regulation would likely solve problems for multistate businesses (presumably all Internet businesses). However, the appropriate content for this legislation is controversial. Consumers may indeed prefer not to be tracked, but will this preference persist if their decision means that free Internet content is otherwise restricted? The pervasive funding of Internet growth through the advertising model generates significant complexity in any attempt to interfere with this private ordering model, as even the FTC has recognized in a December 2010 report.

Dodd-Frank Regulations

In addition to pending legislation, additional government intervention may also come from new regulations affecting the financial services industry. The Dodd-Frank Wall Street Reform and Consumer Protection Act and particularly Title X, known as the "Consumer Financial Protection Act of 2010," creates a new agency, the Bureau of Consumer Financial Protection, established within the Federal Reserve System, which "shall regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws."

Thus, another agency may enter into the rulemaking and enforcement mix, effectively invoking new opportunities for federal intervention and potentially new conflicts among the various federal interests. Provisions in Dodd-Frank appear to contemplate that the FTC and the bureau will negotiate their enforcement roles in areas where their authority may overlap. Moreover, the bureau is expressly granted enforcement authority over any rule prescribed by the Federal Trade Commission "with respect to an unfair or deceptive act or practice" when it affects consumer protection matters covered by the bureau. The role of the bureau remains to be seen, as its official rulemaking and enforcement activities have not yet begun.

Dodd-Frank, at 15 U.S.C.A. § 1693o-2, also grants regulatory authority to the Federal Reserve to "address reasonable fees and rules for payment card transactions." Although this does not specifically implicate data security requirements, proposed regulations contemplate efforts to regulate credit card fraud losses. Thus, the Federal Reserve may also get into the data security business, adding new requirements on the industry beyond those already imposed through private ordering. Complexities of implementing these rules, including the network impact when the rules, as a technical matter, only apply to large banks, remain unresolved.

A Future for Private Ordering?

Our federal system presents challenges for businesses seeking to comply with their legal obligations concerning privacy and data security. The Internet and its environs are especially problematic, as jurisdictional boundaries are often blurry. Consumer angst creates a powerful incentive for politically accountable branches of government to intervene on their behalf with new legal protections. In a networked environment, intervention at the state level is bound to be ineffective due to geographic constraints; this alone may create an impetus for federal intervention to harmonize the various state requirements.

Government actors at the federal level face the same challenges as in the states: defining the appropriate level of protection and an appropriate enforcement regime is a Herculean task. Privacy expectations can vary widely among industries and within various population demographics. As for data security, technology is a moving target. Specific rules are likely to embrace yesterday's technology, which hackers have already discovered.

Private ordering remains a workable ideal that can continue to provide significant consumer protection, even if government involvement expands. A regulatory approach that borrows human and social capital from self-regulation models, thereby appropriating and defining industry practices, effectively "in-sources" a private ordering regime. It remains to be seen whether that approach will present any significant improvement in consumer protection on account of involving government actors.

Enforcement issues are likely to loom large in any rulemaking efforts, as intentions to protect consumers must be tempered by the reality of fiscal constraints. Will fines and penalties become a new source for these revenues, effectively becoming a new tax on business? Allowing private enforcement may solve resource constraints, but when the regulatory infraction doesn't present significant risks for consumers, the resulting economic distortions may ultimately disadvantage consumers. There are significant complexities to be resolved in this area; hopefully the political impetus to expand consumer protection does not overlook the broader context of consumer well being and the importance of preserving space for private ordering.

Edward A. Morse

Edward A. Morse, professor of law, holds the McGrath, North, Mullin & Kratz endowed chair in Business Law at Creighton University School of Law in Omaha, Nebraska. This article benefitted from a panel discussion at the ABA Spring Meeting in Boston, "Privacy Police to Security Sheriffs: The Expanding Federal Role in Regulating Privacy and Data Security Protection." The author is grateful to his fellow panelists, Thomas Brown, Erika Brown Lee, and Mozelle W. Thompson, for their helpful discussion and contributions, and to Michael Fleming for his helpful comments.