What Your Business Can Do to Comply With the Federal Trade Commission’s Data Security Standard. Part I: Does It Give Fair Notice?
What, exactly, can a business do to protect itself against a Federal Trade Commission enforcement action for allegedly failing to take reasonable precautions to protect its customers’ sensitive, private, digital information, such as credit card numbers, bank account information, dates of birth, and even medical records? Especially because it is difficult to know exactly what the term “reasonable precautions” actually means in the quickly evolving world of cybersecurity, it is important to develop a credible answer to the question. Some high-profile businesses, including at least one which has been the victim of a large-scale cyber-breach, have come up with a seemingly simple, though elegant, solution.
To appreciate the solution, though, you first have to understand the problem. This post will discuss the full extent of the problem. In the next post, we will examine the solution.
One of the main attacks against the FTC’s Reasonable Precautions cybersecurity standard is that it does not provide fair notice of what it requires, or prohibits. What, exactly, constitutes a reasonable precaution and what does not? How can a business be expected to comply with a standard if it does not have fair notice of what it requires? This was a major defense in both the FTC’s administrative trial against LabMD, and the action entitled the Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey (the “Wyndham case”) both of which we have written about at length. At least so far, though, “reasonableness,” as applied on a case-by-case, fact specific basis, is all a business basically has to work with.
In the Wyndham case, as we have previously written, one of the defendants, Hotels and Resorts, based its motion to dismiss the complaint, in large part, on the allegation that the reasonable precautions cybersecurity standard was too vague, and that the FTC should issue detailed regulations giving fair notice of what the standard required, before the FTC could seek to enforce it. In denying the motion, the court held:
But the Court is unpersuaded that regulations are the only means of providing sufficient fair notice. Indeed, Section 5 codifies a three-part test that proscribes whether an act is “unfair.” See 15 U.S.C. § 45(n). And, notably, Hotels and Resorts’ only response to the FTC’s analogy to tort liability–where liability is routinely found for unreasonable conduct without the need for particularized prohibitions–is the following: “While the negligence standard has long been a cornerstone of tort law, no Article III court has ever–not once–articulated the data-security standards that Section 5 of the FTC Act supposedly imposes on regulated parties.” (HR’s Reply to Jnt. Supp. Br. at 5). The Court is not persuaded by this argument that essentially amounts to: since no court has, no court can–especially since Hotels and Resorts itself recognizes how “quickly” the digital age and data-security world is moving. (See 11/7/13 Tr. at 25:12-14).
Think of what that actually means: there is no need for specific regulations prescribing what has to be done; the statute itself provides guidance; and the court can develop case law which can guide businesses as to what a reasonable precaution is under certain, fact-specific, circumstances. The latter seemingly is the most problematic. A body of case law does in fact provide significant guidance, but in order to provide the guidance, you actually have to have the case law. If you are one of the first, as Hotels and Resorts argues in the Wyndham case, how can you be expected to comply with, or even receive guidance from, a body of case law that does not yet exist?
Even the statute that provides the basis for the FTC’s “Reasonable Precautions” cybersecurity standard, appears to be no more precise. 15 U.S. Code § 45 “Unfair methods of competition unlawful; prevention by Commission;” provides, in relevant part:
(n) Standard of proof; public policy considerations
The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.
It is hard enough to turn a company’s own privacy policy into executable, verifiable commands on a computer network, as we talked about previously. Imagine how difficult it is to turn the statutory language quoted above into the precise, yes-no world of computer programming.
Businesses do, however, have other court-sanctioned guidance. Quoting further from the April 7, 2014 decision of U.S.D.J. Esther Salas in the Wyndham case:
But the contour of an unfairness claim in the data-security context, like any other, is necessarily “flexible” such that the FTC can apply Section 5 “to the facts of particular cases arising out of unprecedented situations.” See Colgate-Palmolive Co., 380 U.S. at 384-85. And, Hotels and Resorts invites this Court to dismiss the FTC’s complaint on fair notice grounds despite the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure–and despite Hotels and Resorts’ own references to “industry standard practices” and “commercially reasonable efforts” in its privacy policy. (See Compl. ¶ 21).
It is those “Industry Standard Practices,” and “Commercially Reasonable Efforts,” to which businesses can turn to protect themselves. Those terms, too, are amorphous, as we have previously pointed out. Businesses, however, can put teeth into them on their own, without waiting for a body of case law to be developed, or for what should be a straightforward regulation, which leaves slightly less room for interpretation than the current standard, to be promulgated.
How businesses are doing just that, will be the topic for the second half of this entry. Their apparent solution points out, once again, that sometimes the solution is staring straight at you; all you have to do is pay attention and remember that there is no reason to wait for someone else when you can do the job yourself.
Go raibh maith agat
Ray Grasing.