Part of the aftermath following cyber attacks like the recent hackings of popular retailers Target, Neiman Marcus and Michaels is a subsequent investigation and fines from the Federal Trade Commission.
But two cases in particular cast doubt on the commission’s authority to act as a “roving police officer of data security,” as one challenger stated in court documents.
Following a third data breach in two years at hotel chain Wyndham Worldwide, the US Federal Trade Commission (FTC) filed a lawsuit in 2012 against Wyndham Worldwide and three subsidiaries for allegedly failing to protect customer personal information.
Wyndham decided to take on the federal entity, filing a motion to dismiss.
What has followed has been a he said-she said scenario in which Wyndham claims the FTC lacks statutory authority to regulate data security as an unfair trade practice under Section 5 of the FTC Act, while the commission insists Congress empowered it to prevent businesses from using unfair trade practices as well as practices unfair or deceptive to consumers.
Insurers, businesses and law communities are following the case on the basic premise the ruling “may indicate how much teeth the FTC has,” Joshua Gold, shareholder in law firm Anderson Kill’s New York office, told Advisen.
“The case is especially interesting because the suit has the potential to map out the scope of the FTC’s ability to establish liability where class-action plaintiffs have, so far, largely failed,” he added.
In the US there is no all-encompassing law or regulatory body responsible for privacy and cyber security, but Advisen has complied a list of key federal regulatory players.
An early 2014 ruling from US District Judge Esther Salas in New Jersey was anticipated but testimony to a US House subcommittee from one of FTC’s commissioners has delayed an outcome and added additional entries to the court docket from each side.
Lee Terry (R-Neb.), chairman of the US House Subcommittee on Commerce, Manufacturing and Trade, expressed apprehension about the vagueness of the FTC’s power to regulate under Section 5 during an early December hearing. He said he was concerned recent issues “may take the commission away from the scope in which Congress legislated,” and “add to the regulatory uncertainty many businesses feel already.”
According to the hearing transcript and court documents filed by Wyndham, FTC Commissioner Joshua D. Wright told lawmakers at the hearing that the “fundamental problem” in enforcing Section 5 was “a combination of the agency’s administrative process advantages and the vague nature of the Section 5 authority governing unfair methods of competition.”
He went on to say companies usually settle with the FTC to avoid costly litigation while “shooting at a moving target, and may have the chips stacked against them.”
Indeed, Wyndham could be the one company now challenging the FTC to actually survive the process. Other companies fined by the FTC have absorbed the costs as well as years of audits under settlements. TJ Maxx reportedly settled with the FTC after a breach. Terms included 20 years of systems auditing. Recently Apple signed a $32.5 million settlement with the FTC, though the case had nothing to do with a data breach.
LabMD, another company sued by the FTC after it suffered a data breach, is similarly fighting the commission’s authority. According to a Wall Street Journal report, LabMD said it is hemorrhaging financially due to costs associated with the FTC case.
The LabMD-FTC dispute is now in an administrative law court. Meanwhile, nonprofit group Cause of Action has filed a federal lawsuit against the FTC on behalf of the medical testing laboratory.
Wyndham has tried using testimony during the Dec. 3 hearing as support for its motion to dismiss. For the moment the company has delayed a ruling. Judge Salas asked for additional information from Wyndham and the FTC.
FTC shot back with a letter to the court saying the hotel chain “selectively excerpted” testimony. Attorneys for the agency said Wright was talking about the FTC’s competition power under Section 5, not its role in consumer protection, which its case against Wyndham is hinged.
In a much longer letter to the court dated Jan. 29, Wyndham reiterates its stance the FTC’s tactics of bringing enforcement action “without providing any advance notice of what the law requires.”
“Whatever the merits of the FTC’s public policy arguments, its current approach to date security run afoul of fundamental principles of fair notice and imposes substantial costs on businesses,” said Wyndham in the filing. “Law and logic undermine the FTC’s belief that it can regulate data security as an unfair trade practice under Section 5.”
Congress seems confused as well, according to Wyndham. Since the Target and Neiman Marcus breaches, lawmakers have introduced new data-security laws. If the FTC has the authority as an overseer of data security, new laws would be unnecessary, the hotel chain said. Additionally, Congress and the President are “engaged in a robust public policy debate on how to best regulate data security.”
“The FTC should not be permitted to short-circuit the democratic process by claiming authority for itself to regulate date security wholly apart from Congress,” lawyers for Wyndham write.
Hearings on the Target breach are planned for early February. In part, lawmakers are expected to hash out the FTC’s authority to regulate cyber security, as some publicly questioned the agency’s scope of power. Sen. Robert Menendez (D-NJ) has said he is investigating whether the FTC can fine companies for breaches, adding that he’d like to give him that authority if the agency does not.
“Does the FTC have jurisdiction and do they get to exercise it in this way?” questioned attorney Jon Neiditz, a partner with Atlanta’s Kilpatrick Townsend.
“Right now they are not rulemaking or taking comment, but they are going after companies—obtaining settlements including years of audits as well as fines,” Neiditz told Advisen.
Neiditz said he can see an outcome that would include an affirmation of the FTC’s authority to regulate cyber security but it may be ordered to follow normal regulatory procedures of letting firms know what the standards are—and defining actionable failures.
“What I think many people don’t understand is all organizations have breaches regularly,” Neiditz explained. The current repercussions of a breach on a company may fly in the face of making security better, he added. “This could force firms to go underground and fight these wars themselves,” Neiditz said.
Anderson Kill’s Gold said plaintiffs have succeeded in finding insurance coverage for costs related to cooperating with an FTC investigation after a cyber attack. But typically the insurance industry has determined fines are not insurable.
“There is a concern if the FTC penalties are labeled ‘fines,’” Gold said. “Sometimes a ‘fine’ is not a ‘fine’ but more of a reimbursement as a form of compensatory damages.”
If the FTC succeeds, Gold does not anticipate “copy-cat” class-actions. Proposed classes have had a difficult time being certified and even if they get the distinction, actual damages have been “very, very difficult to prove,” said Gold.