What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there are states, with various federal laws and regulations filling in various gaps or providing additional compliance issues. I have elsewhere referred to this as a “patchwork” system (although some might prefer the term “crazy quilt”).
It is for this reason that the Third Circuit’s decision in FTC v. Wyndham is fertile ground for thinking about what the future holds for data privacy regulation. Up until now, there has been no single data privacy “Sheriff” in the U.S. If your business suffers a data breach, you must look to the relevant state law (or relevant states, depending on where your businesses and customers with potentially compromised data are located) to understand (a) what kind of data matters, (b) whether the breach of that data triggers notification obligations, and (c) what the scope and range of those obligations are. Sometimes, federal laws apply: if your business is a financial institution, it must look to the Gramm Leach Bliley Act (GLBA). If you traffic in health care information, you must look to HIPAA. But up until now, there has not been a single authority with broad powers to take actions when a data breach affects a business and its customers.
FTC v. Wyndham suggests that the winds of change are blowing (regardless of whether or when Congress might act). This blog has already discussed some of the legal contours of the decision. But it is worth taking note of two holdings made by the Third Circuit panel.
First, the court held that the FTC’s powers to bring administrative actions under 15 U.S.C. §45(a) to enforce the prohibition against “unfair or deceptive acts or practices in or affecting commerce” extended to cybersecurity. Although this holding was not explicitly stated in this manner, the court’s discussion of the statutory language, and rejection of Wyndham’s arguments about the meaning and applicability of the word “unfair” in the relevant provision, make this holding plain. As the court stated, “We are . . .not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of ‘unfair.’” It further rejected Wyndham’s arguments that other specific Congressional acts relating to cybersecurity obviated the FTC’s authority in this case.
The “unfair practices” at issue in Wyndham included failing to have adequate security procedures preventing or mitigating the cyberattacks that led to the lawsuit, failing to maintain adequate unauthorized detection systems, and failing to follow “proper incident response procedures.”
Second, the court held actual injury was not necessary for the FTC to bring a claim, noting that the “FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.”
Taken together, the FTC’s authority to regulate companies who are the targets of hacks and who suffer data breaches is strikingly broad. Essentially, the Third Circuit’s holding allows the FTC to claim the mantle of data privacy Sheriff, allowing it to bring an administrative claim against a company in the event the FTC deems its policies and procedures inadequate or poorly followed. And no actual injury need be shown for the FTC to be able to do so.
To see what an important development this is in cybsersecurity law, it is worth noting how difficult it has been for private claimants to succeed in court against companies that have suffered a data breach. In those cases, some actual injury stemming from the data breach is often required for plaintiffs to have standing to sue. But as a public enforcer, the FTC need not clear such a hurdle. Moreover, private plaintiffs must often look to a relevant state law provision (assuming it even provides a private right of action, which it might not) or some contractual right that might or might not be enforceable. The FTC, instead, can rely merely on its authority relating to “unfair and deceptive acts or practices in or affecting commerce.”
The Wyndham case will not be the last word. Perhaps it will be heard by the Supreme Court; or another Circuit will weigh in on this issue and create a circuit split; or Congress will weigh in and change the landscape again. The authority of agencies, such as the SEC of FCC, might get in on the enforcement action. But make no mistake: the FTC is for now the unquestioned Sheriff in town. Its shadow has the capability of looming large and creating uniformity in the current U.S. legal landscape.