Regulation of Companies' Data Security Practices Under the Ftc Act and California Unfair Competition Law

By Kathryn F. Russo¹

News of data breaches dominates the headlines. Technology is advancing at a dizzying speed. Companies are collecting more sensitive personal information about consumers than ever before while hackers are devising new strategies to access this information.

In the context of this data-driven world, it is no surprise that companies' data security practices are coming under increasingly strict scrutiny. The Bureau of Justice Statistics estimates that approximately 7 percent of all U.S. residents age 16 or older were victims of identity theft in 2012.² Both the Federal Trade Commission and the California Attorney General have made it a priority to pursue enforcement actions against companies that do not have reasonable data security practices.

For over a decade the FTC has used its authority under Section 5 of the Federal Trade Commission Act³ to enforce the prohibition against unfair and deceptive acts or practices in the field of data security. In evaluating whether a company's data security practices are unfair, the FTC uses a reasonableness standard and considers each company's data security practices on a case-by-case basis. The majority of the FTC's data security enforcement actions have resulted in settlements. However, for the first time, the FTC is facing a challenge to its authority to regulate companies' data security practices.

Companies also face challenges to their data security programs under California law. The California Attorney General has made clear that investigating breaches of personal information is an enforcement priority. Further, companies that experience data breach incidents face the additional burden of private lawsuits. Even though litigants bringing data security lawsuits have faced hurdles establishing constitutional standing under Article III and have had difficulty establishing a quantifiable harm, companies have chosen to settle these cases for significant sums.

Companies that store, transmit, and use consumer information would be well advised to reassess their data security practices to reduce the likelihood of data breaches and to avoid costly regulatory and private litigations that may arise following a breach.

[Page 201]

Pursuant to Section 5 of the FTC Act, Congress delegated broad authority to the FTC to protect consumers from unfair and deceptive trade practices.⁴ Under Section 5 of the FTC Act, an act or practice is unfair if the act or practice (1) "causes or is likely to cause substantial injury to consumers," (2) "which is not reasonably avoidable by consumers themselves," and (3) "not outweighed by countervailing benefits to consumers or to competition."⁵ The FTC assesses these three factors whenever it examines whether a particular practice is "unfair."⁶

In the context of evaluating a company's data security practices, the FTC has held that a company's failure to implement reasonable data security practices can be considered an unfair practice under this three-part standard.⁷ First, the FTC has stated that failing to reasonably protect consumers' personal and financial information can cause significant injury to consumers.⁸ Such failures increase the likelihood of unauthorized charges to consumers' financial accounts and put consumers at an increased risk of identity theft. Second, the FTC has stated that consumers cannot reasonably avoid such harms because the consumer has no way of independently knowing whether the company has unreasonable security practices and turning over confidential financial and personal information is generally required of a consumer to complete a transaction with a company.⁹ Third, the FTC has stated that where a company employs unreasonable data security practices and does not implement low cost technologies that reduce the risk of data breaches, harm to consumers caused by a company's unreasonable data security practices is not outweighed by the countervailing benefits to consumers or to competition.¹⁰ Although a hacker may devise a way to breach even the most expensive state-of-the-art data security measure, requiring onerous data security measures could raise costs to businesses therefore making them less competitive and ultimately harming consumers. Therefore, this factor is flexible and allows the FTC to determine whether a company's data security measures employed are sufficient, given the particular situation.

Accordingly, the FTC uses its authority under Section 5 of the FTC Act to evaluate a company's data security practices on a case-by-case basis, considering the unique characteristics of the business, and current security threats and technology. In a recent statement before Congress, the Commission emphasized that "[i]n the data security context, the FTC conducts its investigations with a focus on reasonableness — a company's data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities."¹¹ In considering whether a company's data security practices are reasonable, the Commission "examines such factors as whether the risks at issue were well know or reasonably foreseeable, the costs and benefits of implementing various protections, and the tools that are currently available and used in the marketplace."¹² Further, the Commission stated that "it does not require perfect security; that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law."¹³

[Page 202]

The FTC has undertaken efforts to provide guidance to companies in developing reasonable data security programs. The FTC publically publishes its complaints and consent decrees related to its data security enforcement actions.¹⁴ Additionally, the FTC holds workshops on issues that affect consumer data. Its recent workshops include a workshop on the Internet of Things,¹⁵ a workshop on mobile security issues,¹⁶ and a program on child identity theft.¹⁷ Further, the Commission published a business guide on data security with the goal of helping companies develop reasonable data security programs.¹⁸ Companies should review the consent decrees, workshops, and other guidance published by the FTC to help assess whether their data security program is reasonable.

For over a decade, the FTC has used its authority under Section 5 of the FTC Act to enforce the prohibition against unfair and deceptive acts or practices in the field of consumer privacy and data security. Initially, the FTC focused its enforcement efforts on companies' "deceptive" data security practices.¹⁹ In 2005, the Commission began pursuing enforcement actions against companies engaging in "unfair" data security practices.²⁰

[Page 203]

Companies should expect and be prepared for the FTC to continue to aggressively pursue actions against companies for engaging in unfair data security practices. Recently, the Commission released a report stating that the Commission has "redoubled its efforts to protect consumer privacy, including through law enforcement. . . ."²¹ Further, at the beginning of this year, the Commission marked its 50th data security settlement.²² Over 20 of these settlements included allegations that a company's failure to reasonably safeguard consumer data was an unfair practice.²³

Companies should be aware that the majority of the Commission's data security investigations have resulted in consent decrees. In the context of data security actions, the Commission's consent decrees typically require a company to establish, implement, and maintain a comprehensive information security program and to obtain, on a biannual basis, an assessment and report from a third party professional regarding the company's data security safeguards for a period of time ranging from 10 to 20 years.²⁴ However, recently two companies have challenged the FTC's authority to regulate companies' data security practices as described below.

Although the majority of the Commission's data security investigations have resulted in consent decrees, recently, two companies, LabMD Inc. and Wyndham Worldwide Corporation and three of its subsidiaries, are challenging the FTC's authority to regulate data security practices of businesses.²⁵ Both LabMD and Wyndham argue that the FTC lacks authority to regulate companies' data security practices under Section 5 of the FTC Act, and that the FTC has failed to provide fair notice of what constitutes reasonable data security standards.²⁶ As discussed below, the Commission issued an order in the LabMD case affirming its authority under the FTC Act to regulate and enforce data security practices of businesses.²⁷ Wyndham's motion to dismiss the FTC's complaint is pending in the United States District Court for the District of New Jersey following oral argument.

[Page 204]

Specifically, in the LabMD case, the FTC filed an administrative complaint against LabMD, alleging that it "engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks."²⁸ LabMD is a clinical laboratory that conducts tests on specimen samples from patients and reports the test results to patients' health care providers.²⁹ In conducting such tests, LabMD obtains a variety of...