In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding could be reversed in any ultimate appeal of a later decision on the merits).

More importantly, as the district court itself noted, “A liability determination is for another day.” For this reason, “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.  Instead, the Court denies a motion to dismiss given the allegations in this complaint—which must be taken as true at this stage—in view of binding and persuasive precedent.”  Therefore, the FTC’s position that it provided “fair notice” of the applicable data security standards will now go on to be determined after a full evidentiary record has been developed, including the consideration of evidence whether Wyndham’s practices actually caused or were likely to cause substantial injury to consumers that was not reasonably avoidable by those consumers.

The Power of the FTC
In rejecting Wyndham’s arguments that the FTC’s Section 5 authority does not extend to free-roaming regulation of data security, the district court tacitly began with the premise that virtually any unfair practice affecting commerce is within the power of the FTC to regulate, absent legislation contradicting that power in specific areas. While our next installment of this series will examine the historical context of the FTC’s unfairness authority and earlier criticisms of the agency’s “shifting course” and “ad hoc” enforcement, we must briefly address the FTC’s authority today, as it cannot be completely disassociated from the question what constitutes fair notice.

In arguing that the FTC did not have authority to regulate data security, Wyndham pointed to a number of public statements made by the FTC in previous years in which the FTC stated that it did not have the power to generally enforce data security lapses under the unfairness prong.  In fact, the FTC had asked Congress to grant it the broad authority over data security which the agency did not believe it possessed under Section 5.

Yet Judge Salas “was not convinced” that these statements added up to the type of unequivocal disavowals of authority similar to those that the FDA had given with respect to cigarette regulation, as addressed in Brown v. Williamson. Judge Salas did recognize the fact that the FTC seemed to have reversed its position in subsequent years, but suggested that an agency should not be locked into its initial statutory interpretation, and pointed to a statement to that effect by the Supreme Court in Brown v. Williamson.  As in all cases where an agency changes direction, it must give a reasoned explanation for the change.

Fair Notice
The District Court next turned to Wyndham’s argument that the FTC failed to provide “fair notice” as to the standard of conduct Wyndham was required to follow because it had not promulgated any rules or regulations on point; in short, Wyndham maintained that businesses should not be forced to “divine” the FTC’s belief as to what practices will constitute unfair conduct subjecting it to an enforcement action. Wyndham also argued that the appropriate test for determining whether the FTC had provided fair notice was whether the standard of conduct for businesses such as Wyndham had been stated with “ascertainable certainty,” and that the standard could not be met by announcing rules “for the first time in an enforcement proceeding.” Wyndham argued that “if the FTC could regulate data security at all, it must do so through published rules that give the parties fair notice of what the law requires.”

The Commission does have the authority, within certain limits, to prescribe “interpretive rules and general statements of policy with respect to unfair or deceptive acts or practices in or affecting commerce” and “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce,” known as the “Magnuson-Moss” rulemaking procedures. However, these procedures go well beyond those set forth in the Administrative Procedures Act. Specifically, when prescribing “interpretive rules and general statements of policy,” the Commission can only act where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent, either because it has issued cease and desist orders regarding such acts or practices or other information indicates a widespread pattern of such acts. When this threshold is met, the FTC must publish an “advance notice” of the rulemaking (in additional to and prior to the publication of the actual proposed rulemaking) that meets certain criteria and invites comment. The Commission must also submit such advance notice of proposed rulemaking to the Committee on Commerce, Science, and Transportation of the Senate and to the Committee on Energy and Commerce of the House of Representatives (the “Committees”). Thirty days before the publication of the actual notice of proposed rulemaking, the Commission must submit such notice to the same Committees.

Similar burdens are associated with prescribing rules that define with specificity the act or practices which are unfair or deceptive. In such a rulemaking, the Commission must publish a notice of proposed rulemaking stating with particularity the text of the proposed rule, including any alternatives, the reason for the proposed rule, permit public comment, and provide an opportunity for an informal hearing. In all, the burdensome provisions of the Magnuson-Moss rulemaking requirements are practically prohibitive, as indicated by the FTC in its testimony before a House of Representatives subcommittee in 2011. This, perhaps in addition to the Commission’s unclear authority to act in this realm, has resulted in a complete void of data security rules by the Commission.

Undeterred, the FTC  argued in the Wydham Worldwide case that “agencies are permitted to articulate principles through adjudication unless the action would constitute an abuse of discretion (such as a ‘sudden change of direction’) or would violate the Administrative Procedure Act (such as by bypassing a pending rulemaking proceeding).” In the context of data security, the FTC argued that it has been “investigating, testifying about, and providing public guidance” for more than a decade and therefore, in the absence a pending rulemaking proceeding, enforcement actions were appropriate vehicles under its Section 5 authority.

The district court agreed with the FTC and found that where an agency is given the choice of engaging in rulemaking or proceeding by individual adjudication, that choice is typically left to the discretion of the agency. The very breadth of the FTC Act, the court held, suggested that the agency needs flexibility to address complex and differing situations. Refusing to find whether the correct standard was “ascertainable certainty”, the court held that there was no requirement that the FTC formally publish regulations before bringing an individual claim. In any event, the court found, there was sufficient “notice” found in “the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure.”

There is a tension between Judge Salas’ rejection of numerous consistent public statements by the FTC disavowing its power as “unconvincing,” discussed above, and the judge’s willingness to accept a patchwork of publications and statements and consent decrees by the FTC as giving fair notice of a discernible standard for reasonable data protection that businesses everywhere must understand and follow.  Indeed, the public statements and business guidance brochures can hardly meet the specificity of an interpretive rule or general statement of policy that would be required to go through a rigorous public (and congressional) comment period and give affected businesses an opportunity to conform to the any applicable standard.

While not cited by the district court, a recent article by Professors Daniel J. Solove and Woodrow Hartzog suggests that the FTC’s various pronouncements can be fairly understood as a body of “common law” for privacy. In the article, the authors provided “a rather detailed list of inadequate security practices” pulled from the “FTC’s data security jurisprudence”. Other commentators have also opined that the FTC has already developed a “robust data protection body of law” through its enforcement actions.

The question is whether this is the manner in which we want our agencies to promulgate guidance for all businesses operating with the jurisdiction of the United States on a topic as important as data security, rather than through formal rulemaking. Moreover, do we want agencies to then be able to bring standalone enforcement actions for violations of that guidance? While it may be possible for scholars to assemble lists of standards from various sources, is this the optimal way for companies to ascertain the applicable standards and apply them on the ground? How thoroughly must a company scour FTC literature, public statements and settlements, and to what extent must every piece of guidance be followed—for instance, is “Privacy by Design” now a requirement that must be followed, and what type of documentation of compliance with that rubric will suffice if the FTC challenge’s a company’s compliance? How will a company ever feel confident that it is providing “FTC-sufficient” protection for its customers’ data?

As noted above, the “fair notice” ruling by the district court was only preliminary, and will be tested again after discovery. Wyndham will presumably need to demonstrate that the various publications and pronouncements by the FTC are too incomplete, too vague, too contradictory, or too confusing to constitute fair notice. However, the tenor of the court’s decision certainly suggests that Wyndham may continue to face an uphill battle on these claims.

In our next post, we will attempt to place the Wyndham Worldwide decision in a broader context: What does it tell us about the future of enforcement in data security; how Congress may react (or not) to this decision; and finally, what should businesses do in light of this new reality?