Last week, in Federal Trade Commission v. D-Link Systems Corp. et al, case number 3:17-cv-00039, in the U.S. District Court for the Northern District of California, the Federal Trade Commission (“FTC”) initiated its first cybersecurity enforcement action in which an entity’s alleged vulnerability to cyberattacks that left consumer data potentially susceptible to the unauthorized acquisition of their data by third parties could trigger liability, even though the data had not been hacked and there was no injury or damages sustained by consumers. In D-Link, the FTC alleges, among other things, that D-Link failed to protect its router, cameras and software products from foreseeable risks in violation of section 5(a) of the FTC Act (15 USC §45). The case marks the continued efforts by the FTC to regulate and enforce lax cybersecurity measures that it believes exposes consumers to unreasonable risks.
In that regard, in seeking to protect consumers from data security incidents that leave them exposed to the risks of identity theft and fraud, the FTC has been steadily expanding its enforcement activities under section 5(a). The FTC Act embodies what is commonly known as the “unfairness doctrine,” which “prohibits unfair or deceptive acts or practices in or affecting commerce.”
For example, the “unfairness doctrine” has been applied to companies that failed to install reasonable security measures as unfair and deceptive practices that harm consumers, irrespective of any misrepresentations as to the implementation of any such security measures by a particular company. Under the doctrine, businesses maintaining or storing personal identifying information or other sensitive data are under a duty to undertake reasonable steps to protect such data, with the failure to do so exposing businesses to enforcement actions, subject to, among other things if violations are found, imposition of injunctive relief, financial penalties and government approved third-party monitoring of cybersecurity standards, policies, procedures and written information security programs implemented to protect consumers’ data. Consent agreements, which include mandatory monitoring and data security compliance programs, often extend for a term of twenty years.
In evaluating whether to initiate a data security enforcement action against a business, prior to 2005, the FTC relied on the deceptive practices prong of the unfairness doctrine, requiring businesses to have engaged in a deceptive act or misrepresentation. Such misrepresentations typically centered on a business’s false claims concerning the security measures it had implemented to safeguard and protect sensitive consumer data, rendering the privacy statements, to that extent, deceptive.
In 2005, in In the Matter of BJ’s Wholesale Club, Inc., File No. 042-3160 (June 2005), the FTC’s enforcement action, for the first time, was predicated on the unfairness prong, which prohibits practices “that causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). In BJ’s, hackers were able to infiltrate its computer system to steal the names and credit card information of at least 40,000 customers, allegedly resulting in millions of dollars in fraudulent purchases. The FTC’s action alleged that BJ’s failed to institute reasonable measures to secure its customer’s data. Importantly, it was the alleged failure of BJ’s to implement reasonable safeguards that triggered the unfairness prong of the doctrine, without any requirement that BJ’s had made any misrepresentation as to its information security or how it protected customers’ data.
Following the action in BJ’s Wholesale Club, Wyndham Worldwide Corporation was confronted with allegations by the FTC that it similarly failed to protect its customers’ data, allegedly resulting in three data breaches within two years. The hotelier, in FTC v. Wyndham Worldwide Corporation, challenged, in a motion to dismiss, the FTC’s authority to maintain cybersecurity enforcement actions based on the unfairness prong, as opposed to any allegations that it affirmatively made a deceptive claim or misrepresentation (i.e., the deceptive practices prong of the unfairness doctrine) with respect to its information security. The United States District Court in New Jersey denied the motion. Wyndham appealed, with the issues presented on appeal being “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”
In August 2015, the Third Circuit affirmed the District Court’s decision, finding that the FTC could use the prohibition on unfair practices in section 5 of the FTC Act to challenge alleged data security failures that were set forth in the complaint. Here is a link to that decision.
Until this year, in all FTC initiated cybersecurity enforcement actions, whether brought under the unfairness or deceptive practices prong of the unfairness doctrine, the subject entity had suffered a breach, resulting in compromised records that had been obtained by third-parties, exposing its customers to risk of identity theft, fraudulent purchases and/or damages.
With its latest filing in D-Link, the FTC is seeking to expand its enforcement powers beyond Wyndham to bring actions when an entity, such as D-Link, allegedly fails to employ reasonable measures to protect customer data, leaving such data susceptible to attack, even though it did not result in any exposed data, harm or damages to its customers. The FTC’s action in D-Link could represent the next pivotal moment in defining the data security responsibilities of all entities entrusted with personal identifying information and/or other sensitive information.
Indeed, if the vulnerability of sensitive data, without the corresponding accompaniment of the unauthorized acquisition of data by third parties, is found to be sufficient independent grounds to allow the FTC to exercise its enforcement authority with respect to cybersecurity, all companies will be placed on notice that just like a misrepresentation as to information security is no longer required under the unfairness doctrine, neither is actual injury or damages stemming from a cyber breach, requiring companies to ensure they are implementing reasonable measure to protect their customers’ data and following best practices as it applies to them and their respective industries to avoid triggering potential liability under Section 5(a) of the FTC Act. In designing their cybersecurity programs, entities should consider the FTC’s action in D-Link.