FTC’s Data Security Enforcement: Due Process Denied

150px-US-FederalTradeCommission-Seal.svgCross-posted at WLF’s Forbes.com contributor page

In its pursuit of businesses whose security measures failed to prevent malicious hackers from compromising customers’ personal data, the Federal Trade Commission (FTC) utilizes a distressingly effective one-two punch. First, it argues that the target business’s inadequate data protection is “unfair” or “deceptive” under the broad dictates of Federal Trade Commission Act Section 5. Then, it convinces that target business to enter into consent agreements which dictate data protection actions and ongoing FTC monitoring. The settlements not only reinforce FTC’s view that it has authority over data security, but also create de facto regulatory standards which FTC Commissioners and staff then go out and jawbone businesses to embrace through speeches and testimony.

After 41 targets of FTC’s data security power-grab acquiesced and settled, a forty-second — Wyndham Hotel Group — refused to settle and earned itself an opportunity to challenge the Commission’s theory in New Jersey federal district court (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887). Wyndham’s motion to dismiss, an amicus briefs filed by several business associations, and another filed by TechFreedom, the International Center for Law & Economics, Todd Zywiki, Paul Rubin, and Gus Hurwitz, make compelling arguments about FTC’s lack of authority under FTC Act § 5 to set data security policy or pursue enforcement actions. They point out how FTC previously and unsuccessfully sought general data security rulemaking authority from Congress. Wyndham, with support from TechFreedom, also argues that FTC’s complaint doesn’t even meet the minimum requirements needed to prove “deception” or “unfairness” under § 5 or federal civil procedure rules.

Another potentially potent argument against FTC in Wyndham, which the defendant and amici address generally but don’t fully develop, is described in a forthcoming George Mason University Law Review article, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements.  Authors Gerard Stegmaier and Wendell Bartnick explain how the court-created “fair notice doctrine” checks FTC’s assertion of data security oversight power.

Invoking the fair notice doctrine in the data security context is ironically appropriate, given that state laws require businesses to inform their customers if personal data has been compromised. Isn’t it equally important, especially considering the concepts of fair notice and transparency prescribed by the Fifth Amendment and administrative law, that regulated entities know what’s legal and what’s not? The doctrine Stegmaier and Bartnick describe arises from U.S. Court of Appeals for the D.C. Circuit cases, such as General Electric Co. v EPA, which stated that “a regulated party acting in good faith would be able to identify, with ascertainable certainty the standards with which the agency expects parties to conform.”

Stegmaier and Bartnick utilize the facts and circumstances surrounding the Wyndham case to explain the four factors the D.C. Circuit has evaluated when applying the fair notice doctrine.

  1. Does the plain text of the law provide notice, and is the regulated entity’s interpretation plausible?
  2. Do ‘authoritative’ pre-enforcement efforts by the agency, such as public statements, provide adequate notice?
  3. Did the agency inconsistently interpret the law or inconsistently apply its interpretations?
  4. Are serious penalties available?

FTC’s use of its general “deception” or “unfairness” authority under FTC Act § 5, the authors conclude, runs afoul of each factor. In the article’s concluding section, the authors discuss other mechanisms, such as rulemaking or formal adjudication, which could address the fair notice doctrine considerations.

District courts are normally reluctant to rule against a federal agency action based on constitutional arguments, and if the District of New Jersey does find for Wyndham, it is likely to be on narrower statutory or procedural grounds. Any loss by FTC in a case such as Wyndham will be a welcome shock to the system. But given WLF’s core belief in and support for a transparent, predictable regulatory environment, we hope that an opportunity arises at some point at the appellate level where the fair notice doctrine can be used successfully against FTC and its “unfairness” authority.

One thought on “FTC’s Data Security Enforcement: Due Process Denied

  1. Pingback: A Trail To Data Insecurity: ObamaCare’s “Navigator” Program Lacks Privacy Protections | The Legal Pulse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s