FTC’s Data Security Enforcement: Due Process Denied

150px-US-FederalTradeCommission-Seal.svgCross-posted at WLF’s Forbes.com contributor page

In its pursuit of businesses whose security measures failed to prevent malicious hackers from compromising customers’ personal data, the Federal Trade Commission (FTC) utilizes a distressingly effective one-two punch. First, it argues that the target business’s inadequate data protection is “unfair” or “deceptive” under the broad dictates of Federal Trade Commission Act Section 5. Then, it convinces that target business to enter into consent agreements which dictate data protection actions and ongoing FTC monitoring. The settlements not only reinforce FTC’s view that it has authority over data security, but also create de facto regulatory standards which FTC Commissioners and staff then go out and jawbone businesses to embrace through speeches and testimony.

After 41 targets of FTC’s data security power-grab acquiesced and settled, a forty-second — Wyndham Hotel Group — refused to settle and earned itself an opportunity to challenge the Commission’s theory in New Jersey federal district court (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887). Wyndham’s motion to dismiss, an amicus briefs filed by several business associations, and another filed by TechFreedom, the International Center for Law & Economics, Todd Zywiki, Paul Rubin, and Gus Hurwitz, make compelling arguments about FTC’s lack of authority under FTC Act § 5 to set data security policy or pursue enforcement actions. They point out how FTC previously and unsuccessfully sought general data security rulemaking authority from Congress. Wyndham, with support from TechFreedom, also argues that FTC’s complaint doesn’t even meet the minimum requirements needed to prove “deception” or “unfairness” under § 5 or federal civil procedure rules.

Another potentially potent argument against FTC in Wyndham, which the defendant and amici address generally but don’t fully develop, is described in a forthcoming George Mason University Law Review article, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements.  Authors Gerard Stegmaier and Wendell Bartnick explain how the court-created “fair notice doctrine” checks FTC’s assertion of data security oversight power. Continue reading “FTC’s Data Security Enforcement: Due Process Denied”