While the United States lacks a comprehensive data security law akin to that in the European Union, the Federal Trade Commission has filled in gaps between industry-specific laws and rules with its general authority under Section 5 of the Federal Trade Commission (FTC) Act. Section 5 of the FTC Act gives the FTC broad authority to investigate “unfair and deceptive acts and practices in or affecting commerce”. The FTC has increasingly used this broad authority aggressively in the privacy and data security contexts, initiating investigations pertaining to a wide variety of “unfair” or “deceptive” practices. In particular, the FTC has brought a number of cases alleging that website operators engaged in deceptive acts in failing to adhere to their stated policies and practices.
The majority of the FTC’s privacy and data security cases involve the “deception” prong of Section 5. Many cases are not based solely on Section 5, and instead include violations of other related statutes under which the FTC has authority, including, for example, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. However, these cases generally involve a company’s failure to adhere to its own stated policies, which the FTC considers to be a deceptive act or practice. For example, in a recent case involving PLS Group, owners of the PLS Loan Stores, the FTC alleged, among other violations, that the company failed to protect consumer information in a manner consistent with the company’s written data security and privacy policies. In particular, the company did not shred or otherwise destroy consumer records, including social security numbers and credit reports, before disposing of them in unsecured dumpsters outside the stores. As part of the consent agreement, PLS Group agreed to pay more than $101,000 in civil penalties and undergo biannual third-party audits for the next 20 years.
The FTC’s approach to data security enforcement under Section 5 of the FTC Act has evolved in recent years to include alleged violations of the “unfairness” prong of Section 5.
The extent to which the FTC has authority to pursue data security cases, namely those involving security breaches, under the “unfairness” prong of Section 5 has been the subject of considerable debate. Section 5(n) of the FTC Act, as revised, only permits the FTC to pursue investigations under the “unfairness” prong of Section 5 authority if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While the FTC is allowed to use established public policy considerations as evidence in making an “unfairness” determination, public policy cannot be the main justification.
Although a ruling on the Wyndham Hotels motion to dismiss will provide much needed judicial guidance as to the extent of the FTC’s authority to bring cases under the “unfairness” prong, considerable ambiguity as to companies’ data security obligations will almost certainly remain. Clearly companies should work to implement reasonable data security policies and procedures, but in a constantly-changing technological environment, it is difficult to determine which policies and procedures will fit the FTC’s definition of “reasonable”. Companies who experience a data breach may find themselves the target of an FTC action, even if the breach occurred through no obvious fault of the company.
Additional Sources of FTC Authority
In addition to its general authority under Section 5 of the FTC Act, the FTC has authority to investigate and prosecute privacy violations and data security breaches under 33 different sets of rules, laws, and guides. Among the more frequently-invoked sources of FTC investigations are the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, including the Disposal Rule, the Graham-Leach-Bliley Act Safeguards Rule, and the Telemarketing and Consumer Fraud and Abuse Act. Although a thorough analysis of the FTC’s authority and enforcement efforts under each of the applicable laws is beyond the scope of this article, one should keep these laws and rules in mind when considering the full scope of a website or other data collector’s privacy and data security obligations.