Cyber attacks seem only to be increasing in frequency and severity. Major data breaches suffered by companies such as Target, Sony, Anthem Health Care, and others, have exposed hundreds of millions of individuals to the risk of credit loss and identity theft. Virtually all industries have been targeted. Moving past credit cards, cybercriminals are increasingly going after proprietary business data and deploying ransomware and cyber blackmail. They are holding data hostage and attempting to extort millions of dollars from companies who wish to avoid the risk of data loss and public embarrassment. Often, attackers find their way to company data through vendors, who provide technical or financial services or through targeted e-mail attacks directly on company employees, using social exploits to induce unsuspecting individuals to open e-mail attachments and download malware. Companies who are victims of these attacks have suffered huge financial losses. According to the Ponemon Institute in 2015, the total average cost of a data breach is now $3.8 million, up from $3.5 million a year earlier, or $154 per individual record lost or compromised. These costs do not even include other, less direct costs, such as the loss of business or reputational damage.
In spite of growing concern about cybersecurity, Congress has not yet adopted broad federal legislation. Instead, companies today face a patchwork of laws and regulations pertaining to corporate cybersecurity practices, including 47 states and the District of Columbia, as well as multiple federal agencies. Many federal agencies involved in cybersecurity regulation are industry-specific, focusing, for example, on financial services, on healthcare, on insurance or on publicly-traded corporations. However, one agency, the Federal Trade Commission (FTC), has taken a broad mandate to extend its oversight over all companies operating in the United States. Since 2002, the FTC has assumed a leading role in policing corporate cybersecurity practices. In that time, it has brought more than 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers.
Given the increasingly important role of the FTC in policing cybersecurity, companies would be well-advised to examine whether their cybersecurity practices and policies may subject them to regulatory action by the FTC in the event of a data breach. Without prescriptive regulations to assure that their conduct falls within a safe harbor, companies face uncertainty in determining what or how much they should do to avoid an FTC enforcement action. Companies should look to guidance published by the FTC and other regulatory agencies to determine whether their current cybersecurity practices appear reasonable and to develop and update their policies for responding to and recovering from a data breach.
FTC Has New Mandate to Regulate Cybersecurity
Section 5 of the FTC Act, dating back to 1914, prohibits “unfair or deceptive business practices in or affecting commerce.” Not surprisingly for a law passed in 1914, the act does not mention cybersecurity. However, the FTC has long maintained that Congress intended for the word “unfair” to be interpreted broadly and flexibly to allow the agency to protect consumers as technology changes. Most early consumer privacy cases brought by the FTC came under the “deception” prong of Section 5. They targeted companies that gave false data security or privacy representations to their customers through websites or other applications. In 2002, the FTC started asserting claims based on “unfair” cybersecurity practices. For the next 10 years, all actions brought by the FTC resulted in negotiated consent agreements, with no company testing the FTC’s statutory authority to regulate cybersecurity. While some companies questioned the FTC’s authority, they all settled rather than engage in an embarrassing legal battle. That changed when the FTC sued Wyndham Worldwide Corp. in 2012.
The FTC alleged that hackers had obtained unauthorized access to Wyndham’s computer networks on three separate occasions. The incidents exposed more than 600,000 consumer payment card numbers and led to more than $10.6 million in fraudulent charges. Rather than settle, Wyndham moved to dismiss the complaint on the bases that (1) the FTC had no authority, (2) the “unfairness” prong of Section 5 of the FTC Act did not encompass unreasonable data security measures, (3) the FTC had not given companies notice of how their level of data security could be deemed an unfair trade practice, and (4) the FTC did not sufficiently allege consumer injury. The district court denied Wyndham’s motion, but certified its decision on the “unfairness” prong of Section 5 to allow interlocutory appeal to the Third Circuit.
In FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015), the Third Circuit affirmed that the FTC has authority to regulate cybersecurity. The Third Circuit held that Section 5 was not impermissibly vague. Congress had explicitly rejected the notion that specific “unfair” practices should be enumerated in the act. According to Section 5(n) of the FTC Act, to be deemed “unfair,” (1) an act must be likely to cause “substantial injury” to consumers, (2) consumers cannot reasonably avoid the injury, and (3) the injury is not outweighed by benefits to consumers or competition. The language thus informs parties that the relevant inquiry is a cost-benefit analysis. Wyndham also argued to the Third Circuit that when a business itself is the victim of a cyber attack, it does not treat its customers in an “unfair” manner. The court rejected this argument, explaining that the FTC Act expressly contemplates the possibility that unfair conduct could take place before an actual injury occurs. Thus, the fact that Wyndham was a victim of criminal activity did not immunize it from liability where injury to its customers was foreseeable. Wyndham’s conduct need not have been the proximate cause of the injury for the company to be liable for foreseeable harm, because, after the first attack, the second and third attacks were no longer unforeseeable.
Wyndham challenged the FTC’s complaint also on the basis that it did not have fair notice as to what cybersecurity practices would fall short under the “unfairness” prong of Section 5. This argument was a stretch, as Wyndham’s cybersecurity practices, if they could be called such, were nothing short of egregious. Wyndham had been hacked not one but three times. It had failed to use firewalls, did not restrict IP addresses, failed to use encryption for sensitive customer files like credit card information, and did not require users to change default passwords on network equipment. Predictably, the Third Circuit held that notice was constitutionally sufficient “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” The court pointed to several FTC publications and administrative enforcement actions that put Wyndham on notice that its practices were unlikely to survive the cost-benefit analysis under the “unfairness” prong of the FTC Act. Specifically, the court pointed to a 2007 FTC guidebook titled Protecting Personal Information: A Guide for Business, which described a checklist of practices that formed a sound data security plan and advised against many of the very practices of which Wyndham was guilty. Additionally, the court indicated that the FTC’s published complaints and consent decrees in cases raising unfairness claims had close factual corollaries and so should also have put Wyndham on notice.
Following affirmance of the FTC’s authority, Wyndham and the FTC reached a settlement in December 2015, under which Wyndham agreed to establish a comprehensive information security program designed to protect cardholder data. Wyndham must also conduct annual information security audits, the benchmark being the Payment Card Industry Data Security Standard, which generally applies to credit card processors. These and other obligations under the agreement will last 20 years. The settlement is noteworthy, in that the FTC laid out more specificity than is typical in its consent decrees, thus offering more guidance to companies as to what the FTC, at least today, considers “reasonable and necessary.”
New Uncertainty over the Scope of FTC Authority
Like Wyndham, another company sued by the FTC for lax data security practices, LabMD, decided to fight back. LabMD was a clinical laboratory that conducted tests on samples and reported results back to physicians. It experienced two incidents that led to the FTC complaint. First, a third-party company contacted LabMD in 2008 and reported that it had found a LabMD report containing personal information on a peer-to-peer file sharing network. It turns out that this third-party company was angling to find private information on the internet and then offer security services to the affected business. Second, documents from LabMD containing personal information for at least 500 individuals were found in the hands of criminals charged with identity theft. Rather than sue in court, as the FTC did against Wyndham, the FTC issued an administrative complaint on August 28, 2013, after a three-year investigation of LabMD’s cybersecurity practices. The FTC accused LabMD of an “unfair or deceptive” business practice, in that it allegedly had held private information without taking reasonable measures to secure it.
Various privacy groups took up the battle against the FTC on behalf of LabMD, and, following an evidentiary hearing before an administrative law judge, the judge on November 13, 2015, dismissed the administrative complaint. The core holding was that the FTC failed to prove substantial injury to consumers. The government had to prove “actual injury” to consumers, not merely a theoretical risk of future harm. Under Section 5(n), the FTC has no authority to declare an act or practice unlawful “unless the act or practice causes or is likely to cause substantial injury to consumers.” The administrative law judge determined that the FTC could not meet this burden, as it could not show that the alleged data breaches had caused tangible harm to anyone. The judge stated that, “[a]t best, [the FTC] has proven the ‘possibility’ of harm, but not any ‘probability’ or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”
The FTC appealed the administrative law judge decision to its own commissioners, pressing its own view that “mere disclosure is harm” and “some risk is enough” to establish substantial injury. At oral argument on May 16, 2016, the FTC argued that “a significant risk of substantial harm [i.e., from failure to put reasonable security practices in place] is itself substantial injury” to consumers. This is an extreme position that would result in liability for unfair practices without any actual, concrete harm to a consumer having taken place. However, LabMD’s position may be strengthened by the recent Supreme Court decision in Spokeo, Inc. v. Robins, No. 13-1339, 578 U.S. __ (May 16, 2016), holding that Article III standing to bring a claim requires injury-in-fact, which means that the injury must be “concrete and particularized.”
It is likely the judge’s opinion will be reversed by the commissioners, as the commissioners historically have sided with the FTC position, whether to uphold or overturn an administrative law judge, 100 percent of the time. However, when (not if) the decision is appealed to the U.S. District Court, the rationale of Spokeo may cause the court to dismiss the case due to the FTC’s lack of Article III standing if it finds that there is no “concrete” injury to consumers, despite the FTC’s alleged statutory authority under the FTC Act to bring the enforcement action.