The Federal Trade Commission (FTC) has settled two more enforcement actions with companies that failed to adequately safeguard consumers’ personal information, despite challenges to its authority to regulate data security practices.
Credit Karma and Fandango Settle FTC Charges
Last week, the FTC announced that credit monitoring service Credit Karma and movie ticket outlet Fandango
entered into settlement agreements that will require the companies to submit to 20 years of independent security audits, improve security measures, and refrain from misrepresenting their security and privacy processes. The FTC had charged both companies with violating
Section 5 of the FTC Act (Section 5), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The agency alleged that Fandango and Credit Karma had engaged in unfair business practices by failing to properly implement Secure Sockets Layer (SSL) encryption on their mobile apps, thus leaving users’ payment information and other sensitive data vulnerable to “man-in-the-middle” attacks. The FTC also alleged that Fandango and Credit Karma had misrepresented the security of their apps, thereby deceiving customers.
Since 2002, the FTC has brought and settled
more than 50 similar data security enforcement actions against companies including Twitter, Rite Aid, and Petco. The FTC claims that it has broad authority under Section 5 to investigate and censure the data security missteps of companies across all industries, even though there is currently no overarching federal law mandating minimum data security standards.
Until recently, the FTC’s authority to regulate data security practices under Section 5 had gone largely uncontested. But in a highly-anticipated decision, a New Jersey federal court may provide guidance as to the extent of this authority.
FTC v. Wyndham Poses the First Serious Challenge to FTC Authority Over Data Security
In June 2012, the FTC
filed a complaint against global hospitality company Wyndham Worldwide Corporation in federal district court, alleging that Wyndham “failed to provide reasonable and appropriate security” measures on their computer networks, which led to a series of large-scale breaches of personal information and more than $10.6 million in fraudulent charges to customers’ accounts.
Specifically, the FTC charged that Wyndham engaged in deceptive business practices in violation of Section 5 by misrepresenting in its privacy policies and elsewhere the security measures it employed to prevent the unauthorized access of customer data. The agency further alleged that Wyndham’s failure to maintain reasonable data security constituted an unfair business practice, also in violation of Section 5.
Wyndham responded by filing a
motion to dismiss both the deception and the unfairness claims in the FTC’s complaint. Wyndham asserted,
inter alia, that the FTC “has neither the expertise nor the statutory authority to establish data security standards for the private sector” under the “unfairness” prong of Section 5. Wyndham pointed out that the FTC has
publicly acknowledged that it “lacks authority to require firms to adopt information practice policies,” and that it has repeatedly asked Congress to grant it broad, cross-industry authority to do so. Instead, Congress has enacted industry-specific legislation – such as the Health Insurance Portability and Accountability Act (
HIPAA), the Gramm-Leach-Bliley Act (
GLBA), and the Fair Credit Reporting Act (
FCRA) – none of which authorized the FTC to bring an action against Wyndham.
In its
reply, the FTC argued that Congress deliberately delegated broad authority to the FTC under Section 5 to “permit the FTC to protect consumers from unanticipated, unenumerated threats.” The FTC cited a range of uses of its Section 5 authority that were upheld by the courts, including the regulation of online check drafting and delivery, telephone billing practices, sales of telephone records, and sales of unsafe farm equipment.
In November 2013, Judge Esther Salas of the U.S. District Court for the District Court of New Jersey heard lengthy
oral arguments on Wyndham’s motion to dismiss. Counsel for Wyndham argued that a lack of clear statutory authority for the FTC to regulate data security, coupled with the August 2013 release of a
draft cybersecurity framework by the National Institute of Standards and Technology, demonstrated that Congress did not intend for the FTC to take the lead on data security enforcement.
At the conclusion of oral arguments, Judge Salas seemed
poised to rule in favor of the FTC, denying a motion by Wyndham to stay discovery until she ruled on its motion to dismiss. In January, however, Judge Salas
agreed to delay her ruling and allow supplemental briefing after an FTC Commissioner commented on the vagueness in the “unfairness” prong of the FTC’s Section 5 authority during congressional testimony.
A ruling is expected in the coming weeks. If Judge Salas rules in favor of Wyndham, she could seriously undermine the FTC’s authority over data security practices going forward. If she denies Wyndham’s motion to dismiss, the decision could pave the way for increased data security enforcement by the FTC.
After an Unsuccessful Challenge to FTC’s Authority, LabMD to Shut Down
Following Wyndham’s lead, another company challenged the FTC’s authority to regulate data security in an
enforcement action brought by the FTC in August 2013. The FTC charged LabMD, a clinical health testing company, with violating Section 5 after the sensitive personal information of 9,300 people was exposed via a public file-sharing network, leading some to have their identities stolen.
In November 2013, LabMD filed a
motion to dismiss, arguing that the FTC does not have authority to regulate data security practices with respect to patient health data under the “unfairness” prong of Section 5. LabMD claimed that because it provided cancer diagnoses to the patients of its physician-customers, that its information practices are regulated under HIPAA, which it had not been accused of violating. In its
response, the FTC argued that it shares concurrent authority with the Department of Health and Human Services over health information security. Once again, the FTC maintained that Section 5 gives it broad authority over “unfair” data security practices.
In January, the FTC issued an
order denying LabMD’s motion to dismiss. It concluded that Congress delegated broad authority to the FTC to regulate “unfair acts or practices,” including those of HIPAA-covered entities. The FTC reiterated its argument in Wyndham that federal courts had upheld its Section 5 authority in a wide variety of contexts.
Just days after the FTC’s order, LabMD
announced that it would shut down, citing the “debilitating effects” of the FTC’s four-year investigation of the company and calling it an “abuse of power.”
LabMD has twice requested federal court review of the FTC’s actions, but the cases were subsequently
dismissed and
withdrawn. It is not clear whether the company will seek further review.
Thus, the Wyndham litigation presents the only viable challenge to the FTC’s data security enforcement efforts at this time.
Data Security is a Top FTC Priority
Though questions about the FTC’s authority to regulate data security practices remain, the FTC has made data security a “
top priority” and shows no signs of slowing its enforcement efforts in this area. Accordingly, federal regulatory action is a very real threat to companies across all industries that fail to implement reasonable data security measures.
