On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
Federal Judge Upholds FTC’s Authority to Regulate Commercial Data Security Practices
Commenting that she “ha[d] wrestled with arguments in the parties’ initial briefing, oral argument, supplemental briefing, as well as in several amici submissions,” Judge Esther Salas of the U.S. District Court for the District of New Jersey concluded, among other rulings:
- There is no data security carve-out to the FTC’s Section 5 general unfairness authority. Judge Salas ruled that laws that expressly grant the FTC the ability to regulate data security – such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Children’s Online Privacy Protection Act – do not preclude its ability to regulate data security under its unfairness authority, but rather complement it. Moreover, the judge concluded that a few statements made by the FTC implying that the agency did not have the authority to regulate data security did not diminish its ability to bring data security claims under Section 5.
- The Commission’s allegations of “more than $10.6 million in fraud loss” resulting from the allegedly deficient data security practices constituted sufficient harm to plead a Section 5 unfairness claim. One requirement to sustain a Section 5 unfairness claim is that the unfair practice must “cause or [be] likely to cause substantial injury to consumers.” Judge Salas ruled that the FTC adequately pleaded this requirement by alleging that the “failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection and use,” which “caused and is likely to cause substantial consumer injury, including financial injury.” Combined with the complaint’s allegations of specific data security insufficiencies and fraud loss, Judge Salas ruled that the FTC met the pleading requirements. As an aside, and although not on point in this case, the judge commented in a footnote that she was “not convinced that non-monetary harm is, as a matter of law, unsustainable under Section 5 of the FTC Act.”
- Wyndham’s representations about its data security practices also were sufficient to support a Section 5 deception claim. The FTC cited a number of Wyndham’s generic statements about its data security practices to support its claim that the statements constituted a deceptive practice under Section 5. These included representations that “[w]e safeguard our Customers’ personally identifiable information by using industry standard practices” and make “commercially reasonable efforts” to collect personally identifiable information “consistent with all applicable laws and regulations.” Judge Salas ruled that these representations, accepting the FTC’s factual allegations as true and drawing reasonable inferences in favor of the Commission, were actionable as deceptive statements under Section 5.
Crucially, the judge only ruled on the ability of the FTC to bring general data security claims under Section 5 of the FTC Act; the ruling was not a finding that Wyndham's actual data security practices violated the law, which for now will continue to be litigated. Absent an extraordinary interlocutory appeal being permitted, an appellate court will not have the opportunity to rule on Judge Salas's view of FTC jurisdiction for some time, if at all.
In effect, this ruling gives a judicial stamp of approval to the FTC’s ongoing enforcement of commercial data security practices. In the almost two years since the Commission originally filed its complaint, it has settled twelve different data security investigations under Section 5. And unless this decision is overturned on appeal or another court rules to the contrary (or Congress acts to clarify authorities to regulate cybersecurity), security practices that the FTC deems as “unreasonable” or “inappropriate” in informal guidance or in complaints issued along with consent orders will continue to serve as a de facto legal standard for data security in the United States.
The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016