House Oversight and Government Reform Committee Hearing
Federal Information & News Dispatch, Inc. |
Mr. Chairman Issa, Ranking Member Cummings, and Members of the Subcommittee, my name is
INTRODUCTION
In 2013, there were 63,437 reported security incidents and 1,367 confirmed data breaches affecting more than 44 million data records across the globe according to
While entities have business incentives to protect the information they collect, there is no single broad federal law requiring data security. Instead, the law has focused on criminalizing unauthorized access. This is not surprising since the law generally favors open and broad accessibility of information.
Over the last decade, the FTC has begun requiring reasonable data security for entities not covered by existing, industry-specific federal regulations. The FTC routinely investigates publicly reported data-related incidents and has brought more than 40 data-security cases since 2000. n4 The FTC has become increasingly aggressive, as demonstrated by an FTC consent order with
The FTC bases its authority over data security on [Sec.] 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." n5 Usually, the FTC makes a deceptive practices claim when an entity experiences a data breach after publishing statements that it secures data. n6 Less frequently, the FTC alleges unfair practices in data-security cases. n7 However, [Sec.] 5 does not mention data security, which begs a practical question: Because the Constitution requires that entities receive fair notice to reasonably understand what behavior complies with the law, does the investigation and prosecution of entities under [Sec.] 5 in data-security cases violate entities' constitutional rights to fair notice? And. if so, how might these due process concerns be better addressed?
While the Fair Notice Doctrine began in the context of criminal defense, in 1968 the
The fair notice doctrine is not a trivial, academic legal theory with little bearing on the practice of law. On the contrary, given the FTC's broad discretion under [Sec.] 5 of the FTC Act, the FTC's aggressive enforcement stance in the data-security context, and the agency's reluctance to use its existing rulemaking authority to clarify its data-security expectations, the doctrine is directly relevant to the current regulatory climate. n10 Although the FTC has undertaken significant efforts to develop and improve notice of its interpretation of [Sec.] 5, the nature, format, and content of the agency's data security-related pronouncements raise equitable considerations that create serious due process concerns. n11
FAIR NOTICE DOCTRINE WHAT IS THE FAIR NOTICE DOCTRINE?
The fair notice doctrine requires that entities be able to reasonably understand whether their behavior complies with the law. If an entity acting in good faith cannot identify with "ascertainable certainty" the standards to which an agency expects it to conform, the agency has not provided fair notice. n12 An agency using enforcement conduct, rather than less adversarial methods, to define the contours of its broad discretion likely raises greater due process concerns. n13 Due process protections, like those provided by the fair notice doctrine, increase in importance in these circumstances. A defendant may raise the fair notice defense to defend itself against agency enforcement when it feels it has not received proper notice. n14
DISTINCTION BETWEEN CHEVRON DEFERENCE AND THE FAIR NOTICE DOCTRINE
The fair notice doctrine can serve as an effective defense even when a statute passes Chevron deference. Chevron deference is a powerful legal doctrine based on the assumption that federal agencies are experts on the statutes they enforce. n15
THE FAIR NOTICE TEST AS APPLIED BY THE D.C. CIRCUIT
The fair notice doctrine is a creature of judicial creation not yet reviewed or bounded by the
"Ascertainable Certainty": The D.C. Circuit's Test
In a nutshell, fair notice requires that a party be able to determine an agency's expectations with "ascertainable certainty" in order to satisfy due process requirements. Fair notice exists when "a regulated party acting in good faith would be able to identify, with 'ascertainable certainty,' the standards with which the agency expects parties to conform." n17 "The regulations and other public statements issued by the agency" n18 should provide this ascertainable certainty. What is "Ascertainable Certainty"?
The words "ascertainable certainty" are not particularly clear; four factors have been identified to apply the standard by the D.C. Circuit:
1. Does the Plain Text of the Law Provide Notice, and Is the Regulated Entity's Interpretation Plausible?
The D.C. Circuit has held that the most important factor for a successful fair notice defense is whether a careful reading of the law's plain language provides the necessary notice of the law's meaning. n19 "[W]here the regulation is not sufficiently clear to warn a party about what is expected of it" n20 the fair notice doctrine protects a party from government sanction. The language of the regulation provides proper notice only if it is "reasonably comprehensible to people of good faith." n21 Where the law is silent or ambiguous and multiple interpretations exist, the D.C. Circuit has applied the fair notice doctrine to protect parties from government sanctions.
2. Do "Authoritative" Pre-Enforcement Efforts by the Agency, Such as Public Statements, Provide Adequate Notice?
Courts will determine whether the conduct of the agency ensures adequate notice by reviewing the agency's public statements and actions, such as notices published in the Federal Register, n22 adjudicatory opinions, n23 previous citations, n24 and policy statements. To my knowledge, the D.C. Circuit has not analyzed whether a single-party consent decree or settlement with an agency constitutes a reviewable and authoritative interpretive document as part of the "ascertainable certainty" test.
Moreover, to meet fair notice requirements, agency guidance must be "authoritative" and originate from the agency as a whole. n25 Statements from some other source, like the opinion of agency staff or even a single commissioner who may not be speaking for the entire agency, are insufficient. n26 A court would need to determine whether an agency's public statements, such as published complaints, consent orders, and guidance came from the agency as a whole. If they did not, a court should not consider them as a source of notice. Regulated entities should be able to clearly determine which statements identify the law's requirements, and which do not. By limiting the authoritative source to agencies as a whole, courts relieve regulated entities from having to parse the statements of agency staff or individual commissioners to determine what the law is. n27
3. Did the Agency Inconsistently Interpret the Law or Inconsistently Apply Its Interpretation?
A fair notice inquiry will look for an agency's conflicting interpretations of the law, i.e., published inconsistent documentation, n28 provided inconsistent advice to entities, n29 or otherwise acted inconsistently. n30 When an agency provided no notice at all, courts would likely exclude this factor.
4. Imposition of a Serious Penalty
Finally, the regulation must be sufficiently clear to warn a party of what is expected of it, otherwise, an "agency may not deprive a party of property by imposing civil or criminal liability." n31 The D.C. Circuit seems to view this requirement broadly. According to the court, due process requires that parties receive fair notice before the government may deprive them of property, such as through the imposition of a fine, n32 the denial of a license application, n33 or by requiring an entity to take costly action, such as a product recall. n34 The D.C. Circuit's "ascertainable certainty" test provides a useful tool to analyze current FTC activities in the area of information security and highlight challenges and complications to the agency's exercise of its [Sec.] 5 authority.
THE FTC ACT'S PROHIBITION OF "UNFAIR ACTS OR PRACTICES"
In [Sec.] 5 of the FTC Act,
THE FTC'S "UNFAIRNESS" AUTHORITY
Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." n35 An unfair act or practice is one that "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." n36 To be a substantial injury, it must be significant in magnitude and actual (i.e., the harm has occurred or is imminently threatened). n37
Consumer injury may involve either causing very severe harm to a small number of people or "a small harm to a large number of people." n38 The two forms of injury that typically qualify under the "unfairness" test are economic harm and harm to health or safety. n39
The FTC's Use of "Unfairness" Authority
The FTC may use its unfairness authority when the alleged unfair practices and harm to consumers are clear. The FTC has used the law's breadth to regulate a wide range of business practices, from the production of farm equipment n40 to telephone bill processing. n41 However, what constitutes "unfair" data-security practices is far from clear. The amount of data security necessary to make an entity's practice "fair" under [Sec.] 5 is unknown. Traditionally, the FTC has exercised its unfairness authority when there is obvious and substantial consumer harm, i.e. burn injuries and stolen money. In the vast majority of data-security cases, however, the harm may be more difficult to determine and may not be "substantial." In fact, courts have wrestled with whether the loss of personal information constitutes a cognizable harm to consumers without evidence of actual damages. n42 Actual damages resulting from a particular data-loss incident can be difficult to ascertain. n43 For example, even when a breach compromises credit card numbers, no harm may result because credit card companies refund consumers for any fraudulent charges made to their account. Given the complexity of data security, the less-than-clear harm, and the fact that third-party criminal activity typically leads to the harm, fair notice is even more essential in the data-security context as compared to other types of alleged unfair practices.
The FTC's Section 5 Enforcement and Penalty Structure
When the FTC identifies an "unfair" practice, it may enforce [Sec.] 5 against the party using the practice through an administrative process and issue a cease-and-desist order, which commonly results in a consent order. n44 Alternatively, the FTC can file a complaint in court, seeking injunctions and consumer redress against defendants through adjudication and fact finding for alleged violations of [Sec.] 5. n45
In the areas of privacy and data security, the FTC has typically followed the administrative process and entered into consent orders with defendants. The full Commission must approve consent orders, and they are subject to notice and public comment before becoming effective. n46
Any violation of a consent order can result in civil penalties of up to
For example, the FTC filed an action against Google for violating a consent order when
THE FTC USES SECTION 5 OF THE FTC ACT TO INVESTIGATE AN ALLEGED LACK OF PROPER DATA-SECURITY SAFEGUARDS
The FTC Act grants the FTC both specialized rulemaking and enforcement authority under [Sec.] 5, although the agency's rulemaking authority is limited. n52 The FTC's rulemaking authority, which is commonly referred to as Magnuson-Moss rulemaking, n53 includes additional requirements that are more cumbersome than the more traditional Administrative Proceedings Act (APA) process. For example, the FTC Act requires the FTC to "provide for an informal hearing" in which interested parties are entitled to present oral testimony and potentially cross-examine witnesses. n54 Due to this potentially inefficient and time consuming process, the FTC has not used its rulemaking authority to issue rules related to data security. n55
As with formal rulemaking, the FTC has also declined to clarify "fair" data security through formal adjudication. The FTC argues that its consent orders provide fair notice. n56 According to the FTC, it has brought more than 40 data-security enforcement actions since 2000. n57 At least seventeen of those actions alleged unfair practices. n58 However, none of the cases resulted in formal adjudications by the FTC or the courts. n59 Instead, each resulted in a settlement agreement with the respective defendants. The FTC publishes information about its enforcement activity, including the details of the complaints and consent orders, n60 in what some proponents of this approach increasingly refer to as an emerging "common law" of privacy. n61
The FTC's settlement and consent decree-focused approach to date security consumer protection arguably creates some likelihood of potential actual notice of the agency's interpretation of [Sec.] 5. The FTC's data-security-related complaints frequently use terms like "reasonable," "appropriate," "adequate," or "proper" to describe the security safeguards that the agency maintains are required under [Sec.] 5. n62 These complaints, which form the basis of the underlying consent orders, alleged that [Sec.] 5 was violated due to some combination of failing to: have an information security policy; implement system monitoring; fix known vulnerabilities; maintain firewalls and updated antivirus software; use encryption; implement intrusion detection and prevention solutions; store information only as long as necessary; and prepare for known or reasonably foreseeable attacks. n63 However, because the FTC cryptically states that the failures "taken together" violate [Sec.] 5 and each complaint lists different data-security practices, these complaints do not provide an effective "data-security blueprint." The FTC's standard mode of operation is to issue non-authoritative suggested guidelines and deal with unfairness actions through settlement. Neither of these practices provide entities with reliable guidance useful in avoiding unfairness actions.
The FTC's consent orders in data-security cases also require some specific data-security practices of those companies whose practices are now supervised directly by the agency, n65 such as a requirement that the company implement a "comprehensive information security program." n66 The imposed program typically includes: (1) designating employees responsible for data security; (2) implementing reasonable safeguards to protect against identified security risks, including prevention, detection, and response to intrusions; (3) implementing privacy controls appropriate for the business, data use, and sensitivity of the information; (4) and performing regular testing, monitoring, and adjusting of privacy controls. These data-security practices also may give entities some notice of what the FTC believes [Sec.] 5 requires but whether they are authoritative interpretive documents, given their negotiated, non-precedential nature, lack of judicial review, and agency statement of their non-binding nature, remains an open question.
THE FTC'S PUBLIC STATEMENTS
Even though the FTC has not exercised its specialized hybrid-rulemaking authority to issue any formal data-security rules or regulations, the FTC argues that it "has been investigating, testifying about, and providing public guidance on companies' data-security obligations under the FTC Act for more than a decade" n67 and that companies have sufficient notice "from both government and industry sources," suggesting that companies can follow the NIST, PCI-DSS, or ISO standards. n68 The FTC also argues that its business guidance provides fair notice. n69
In 2011, the FTC issued Protecting Personal Information: A Guide for Business, which lists 36 detailed recommendations related to network security, password management, laptop security, firewall usage, wireless and remote access, and detection of data breaches. n70 Many of the recommendations listed in this publication also appear in the FTC's complaints. The document also explains that "[s]tatutes like . . . the Federal Trade Commission Act may require you to provide reasonable security for sensitive information" n71 although the statute neither refers to "security" nor defines "sensitive information." n72
The FTC has also been a leader amongst various agencies in using the Internet and social media to disseminate information about the law and best practices. For example, an FTC Web site posting by an FTC attorney states, "[T]he FTC has tried to develop a single basic standard for data security that strikes the balance between providing concrete guidance, and allowing flexibility for different businesses' needs. The standard is straightforward: Companies must maintain reasonable procedures to protect sensitive information. Whether a company's security practices are reasonable will depend on (1) the nature and size of the company; (2) the types of information the company has; (3) the security tools available to the company based on the company's resources; and (4) the risks the company is likely to face." n73 The crux of the constitutional question is when are these settlements, tweets, speeches and blog posts authoritative for interpretive purposes? And, assuming they can be, do they create "ascertainable certainty" the constitutional requires before penalizing a party?
APPLYING THE FAIR NOTICE DOCTRINE TO THE FTC'S INTERPRETATION OF SECTION 5
The D.C. Circuit's "ascertainable certainty" fair notice test is a helpful way to examine the FTC's data security enforcement activities to see if what data protection may be required as a matter of law. In its fair notice analysis, the D.C. Circuit reviews whether: (1) the plain text of the law is silent or unclear, and the entity's interpretation is plausible; (2) the agency has published clarification of its interpretation or performed other actions providing notice; (3) the agency has made conflicting interpretations; and (4) the entity faces a serious penalty. As described more fully below, in a nutshell, the statutory text is silent, the agency's interpretations are often seemingly unknown or unknowable in the eyes of those prosecuted, the agency maintains it has clarified its interpretations and otherwise provided fair notice and, as a result of these interpretations serious penalties are faced by those prosecuted.
SECTION 5 IS SILENT ON DATA SECURITY
The text of [Sec.] 5 prohibits "unfair or deceptive acts or practices in or affecting commerce." n74 But the practical difficulties confronting the agency and those subject to its regulation are readily apparent when one refers to the enabling text of the statute itself. The FTC Act prohibits "unfair or deceptive acts or practices," n75 and leaves the agency with broad authority and discretion to regulate practices that "cause[ ] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." n76
THE FTC PUBLICATIONS ARE ADVISORY AND UNCLEAR
When the statutory language does not provide clarity on legally required data-security safeguards, agency statements or activities take on added significance. In particular, a reviewing court should not confine its inquiry to a search for some document listing information that it could label "actual notice," because in most cases evidence will suggest that some notice existed. Rather, a reviewing court should focus on whether the provision of notice through methods, such as recommendations and consent orders, constitutes fair notice and satisfies due process. Under this analysis, the FTC's recent and historic notice methods in this area remain problematic under the fair notice doctrine, because they do not clearly distinguish the law from best practices or explain why legal requirements may apply in some cases and not others. n78
The D.C. Circuit conducts a broad inquiry for sources of notice. Previously, it has reviewed regulatory guidance and notices of proposed rulemaking published in the
The FTC Has Not Published Notice in the
The FTC has not issued any guidance or notices in the
The FTC Has Used Only Informal Adjudicatory Processes
Agency adjudications are formal actions by an agency, and entities regulated by that agency closely scrutinize them. n83 These adjudications may provide precedential value, and entities are aware that adjudications are policymaking tools for agencies. Therefore, agencies may expect entities to be aware of relevant agency adjudications.
The FTC has not issued any adjudicatory opinions expressing its view on what data-security practices [Sec.] 5 requires. Instead, as sources of notice, the agency points to the collection of published complaints and the attendant consent orders describing one entity's particular data-security practices that the FTC has deemed inadequate. n84 Courts might consider both sources as guidance from the agency as a whole under the "ascertainable certainty" test.
Complaints and consent orders are not part of a formal adjudicatory process and do not contain reasoned analysis of the FTC's interpretation of the law. n85 Rather, the complaints list what the FTC believes to be faulty data-security practices in one particular case. The circumstances of each case differ, and, unlike formal adjudications, the FTC has not articulated why data-security practices in one case may violate [Sec.] 5 while those same practices may not violate [Sec.] 5 in another context. Moreover, the consent orders are settlement agreements among the parties and have no legal bearing, precedential or otherwise, on third parties. n86 For these reasons, there is little reason for a court to accept such statements as "authoritative" for purposes of evaluating whether they provide constitutionally required fair notice. If regulated entities cannot know with certainty that the complaints and consent orders are the law as applied to them, then the complaints and consent orders may not be sufficiently authoritative to provide fair notice.
An agency can expect an entity that it regulates to comply with policy made through formal adjudication. However, requiring entities to review allegations contained in unfiled complaints with attendant settlement orders begs the question as to whether such actions are suitably authoritative to address fundamental fairness concerns. n87
Fair Notice Analysis of the FTC's Best Practices Guide
Sadly, for whatever reason, the agency itself has done less than it could to help clarify which of its statements should have the force of law or otherwise provide guidance on the underlying legal requirements for data security. For example, the FTC describes its data security guide, Protecting Personal Information: A Guide for Business, as: "Practical tips for business on creating and implementing a plan for safeguarding personal information." n88 The guide suggests to "[u]se the checklists on the following pages to see how your company's practices measure up--and where changes are necessary." n89 The guide does not state that the items in the checklists are required by law or that an entity's compliance with the checklists will ensure that its data security is not an unfair practice. The guide further provides little instruction on when a particular recommendation is a legal requirement or otherwise is or would be a best practice.
Courts, including the D.C. Circuit, have not yet reviewed generally whether an agency's best practices guide provides fair notice of unlawful conduct. If a reviewing court finds that a best practices guide is "authoritative," the court likely would consider the FTC's best practices guide in its analysis. n90 However, there will be a question of the amount of weight a court will give such a guide since it is only a set of recommendations. n91
Courts place agency action on a spectrum to determine how much deference to afford an agency interpretation of the laws that it enforces. On one end of the spectrum formal rulemaking and adjudication and some informal actions are afforded Chevron deference. n92 On the other end of the spectrum are interpretations made by agencies to which
The FTC Data-Security Best Practices Guide is simply a list of recommendations; it is not the result of formal rulemaking or adjudication and does not bind any parties. It is more similar to the policy statements, agency manuals, enforcement guidelines, and opinion letters that courts have held do not deserve Chevron deference. For an interpretation to provide fair notice, it must come from a position of authority. n96 Similarly, staff attorney's Internet postings discussing data security do not represent the entire agency and are not authoritative. Accordingly, a court would probably not appropriately consider the FTC staff attorneys' Internet postings at all in its fair notice analysis. Doctrinally, Mead laid important groundwork regarding why much of what the FTC has been saying - especially given its chosen means - raises serious constitutional question of fair notice.
Concerns Stemming from the Lack of Concrete and Authoritative Notice
Consent orders, n97 the FTC's interpretive guidance to entities, consist of little more than published reports and its reliance on consent orders. In particular, the agency has not used its formal rulemaking authority and has not had any formal adjudication through which to communicate its interpretations. Thus, entities have very little guidance. They have: (1) lists of fairly detailed data-security practices published in single-party complaints; (2) consent orders with vague descriptions of comprehensive information security programs; and (3) published guidance in which the FTC encourages rather than requires entities to implement data-security safeguards. With such scant and non-authoritative guidance, the central due process question remains whether such information provides "fair" notice adequate to address constitutional concerns. To be sure, the FTC's published complaints, consent orders, and the aforementioned data-security guide identify many of the same data-security requirements it alleges investigation targets do not adequately maintain. Nevertheless, some notice is not fair notice--which is a practical constitutional question befuddling many individuals and begging the question: Does reasonable information security require an FTC and administrative law specialist to figure out what the law requires?
Due process requires examining the nature and quality of the notice to ensure entities have a clear description of required behavior from an authoritative source (i.e., fair notice)-- which settlements with third parties and agency recommendations do not provide. Moreover, a post hoc review of whether sufficient authoritative notice existed at the time of the alleged violations is difficult considering an assessment of current requirements is impossible.
Section 5 Violation May Result in Serious Penalty
Under [Sec.] 5, the FTC cannot directly impose or request a monetary penalty.
Given the relative paucity of authoritative agency interpretation, whether existing FTC activities have provided "fair notice" remains an open question. Section 5 of the FTC Act gives the FTC broad authority to combat "unfair trade practices." The statutory language does not provide notice of required data-security safeguards. The FTC has chosen not to issue regulations to explain what data-security practices are "unfair." While the agency's informal communications may provide some notice about the FTC's position, whether courts should deem these communications as sufficiently authoritative to provide fair notice is questionable. Perhaps more importantly, many businesses struggle with understanding what's required of them and are often stunned after a security incident to learn that the party mostly likely to be prosecuted is in fact the organization that held the underlying information--not the perpetrators.
CHALLENGES OF THE FTC'S APPROACH AND MOVING FORWARD
Even if a court concluded that fair notice of required data security practices exists, there seems to be little doubt that underlying legal requirements and the process of determining what is "reasonable" data security could be communicated more effectively. Ironically, an agency that calls on companies to be more transparent about their business practices has not been transparent about its data-security policy, seemingly constrained by the practical difficulties of using investigations and enforcement actions to provide fair notice.
The D.C. Circuit recommended agency rulemaking instead of a series of adjudicative proceedings to explain a regulation because "full and explicit notice is the heart of administrative fairness." n101 The FTC seems to agree that traditional APA rulemaking may be superior to adjudicative proceedings, but it has not yet undertaken to use the modified APA rulemaking authority it already possesses. The FTC has supported federal legislation that would prescribe data-security requirements. The agency recommended that
FORMAL RULEMAKING MAY PROVIDE FAIR NOTICE BENEFITS
The FTC Has Issued Rules Pursuant to Other Data-Security Related Statutes
While the FTC has not used its current limited rulemaking authority under [Sec.] 5 to clarify "unfair" data-security practices due to onerous rule-making proceedings,
While the final rules the FTC implemented may result in inflexible requirements rather than adaptable principles, the quality of the rules promulgated by the FTC in these instances is beside the point for addressing fair notice concerns. n107 All parties received an opportunity to participate in a public and deliberative process and potentially affect the outcome. The rule-making process also leads to rule refinement outside the enforcement context, which may allow the parties to more objectively view and craft the rules. As it currently stands, recent agency data-security investigations reflect private non-public, refinement of statutory interpretations lacking transparency and clarity. This process runs the practical risk of creating a costly and vexatious guessing game for businesses constrained by a lack of consensus and clarity. The FTC clearly does not intend this consequence. Those subject to FTC data security requirements lack the benefit of any authoritative policy statements on these issues.
Fair Notice Benefits of Rulemaking
There are specific fair notice advantages to rulemaking over the prosecution and settlement approach used by the agency. n108 Rulemaking can provide regulated entities with clear guidance, incorporate the thinking of additional stakeholders, prevent cynical speculation regarding agency decision-making, and lessen enforcement and compliance costs. n109 Further, improved notice of a clear rule would likely result in greater compliance. n110 The FTC has not used its existing [Sec.] 5 rulemaking authority to clarify "unfair" data-security practices because of its alleged impracticality. n111 The FTC does not believe it would "be possible to set forth the type of particularized guidelines" to describe proper data-security safeguards. n112 It has stated that "[d]ata security industry standards are continually changing in response to evolving threats and new vulnerabilities and, as such, are 'so specialized and varying in nature as to be impossible of capture within the boundaries of a general rule." n113 The FTC has also stated that "industries and businesses have a variety of network structures that store or transfer different types of data, and reasonable network security will reflect the likelihood that such information will be targeted and, if so, the likely method of attack." n114
The FTC's statements are mystifying for two reasons. First, if the FTC does not believe that it can properly define "reasonable," fair notice of the reasonableness standard seems unlikely? n115 Second, the FTC seems to have taken the stance that, because technology changes frequently, drafting regulations would be fruitless. However, drafting flexible, principles-based regulations would provide guidance to entities and would still apply as technology changes. The concept of drafting laws in an ever-changing world is nothing new. Moreover, the complaints that the FTC filed a decade ago look similar to the complaints that the agency is filing today. n116 Therefore, the FTC's own actions seemingly contradict that regulations would be impractical or out of date upon publication.
FORMAL ADJUDICATION MAY PROVIDE FAIR NOTICE BENEFITS
A formal adjudicatory process can help provide notice to entities in two ways. When the FTC seeks a formal adjudication, the FTC must report its findings of fact. These findings of fact would clearly and officially communicate, which data-security practices violate the FTC's interpretation of [Sec.] 5. This mode of operation is superior to the current complaint and settlement process regarding confusion about legal requirements because it puts the FTC on record and may create greater predictability for entities subject to enforcement. To be effective, the agency would need to articulate its interpretation and rationale which the current investigation-complaint-settlement routine does not. Moreover, the FTC or court can publish an opinion, which will further enunciate and clarify the FTC's interpretation. Judicial review also may provide authority supporting the interpretation.
Like rulemaking, this method of clarifying the FTC's interpretation can provide additional benefits, such as improving legal compliance and preventing entities from wasting resources by attempting to comply with unclear requirements. n117 Nevertheless, adjudication may remain less desirable than rulemaking because regulation by adjudication means that nonparties may not be able to protect their rights. n118 In addition, when regulating by adjudication, the public cannot directly monitor an agency. n119
ADVISORY OPINIONS, POLICY STATEMENTS, AND OTHER COMMUNICATIONS
Policies made through formal rulemaking and adjudications are more definitively authoritative and can provide entities with clear notice. Advisory opinions, policy statements, analysis appended to proposed consent orders, and other similar communications are less formal and authoritative, but possibly more effective than the current complaint and settlement process and best practice recommendations, as they can communicate agency reasoning and principles.
CONCLUSION
No formal rulemakings or adjudications related to data security have occurred to date, and the FTC appears to regulate data security primarily through complaints and consent orders. This method creates ambiguity because complaints and consent orders are inconsistent or lack additional helpful information. It also is unclear whether nonparties to the investigation should attempt to follow the complaint, the consent order, neither, or both, or whether implementing some or all of the measures would result in "fair" data security. The FTC's position that "security standards can be enforced in an industry-specific, case-by-case manner" n120 provides little guidance. This inherent ambiguity poses dangerous and unnecessary compliance risks for regulated entities due to the potentially serious penalties that may result from non-compliance.
The FTC's existing enforcement and guidance practices also pose serious constitutional concerns of providing fair notice. Given the current environment of aggressive enforcement against the victims of third-party criminal hacking who operate with no clear guidance what data security actions they should take to avoid allegations of unfair and deceptive acts and practices, improved authoritative interpretations of [Sec.] 5 are crucial to improve compliance and provide entities with sufficient information to perform proper risk management.
The FTC has several alternative methods for providing more useful and authoritative guidance to entities, but simply stating a vague standard will not improve the situation if it does nothing to clarify the underlying uncertainty or to resolve the problem of fair notice. A "reasonableness" test absent additional, flexible principles-based authoritative guidelines or significant additional court-resolved litigation will remain problematic. As FTC guidance states, "[t]here's no one-size-fits-all approach to data security, and what's right for you depends on the nature of your business and the kind of information you collect from your customers." n121 In other words, data-security standards may differ as a function of the sensitivity of the data collected, the amount of data collected, and how the data is collected, used, and disclosed to third parties. Using the standards of "reasonable" and "appropriate," without accounting for the nature of the business and the kinds of information that are collected may not ensure that fair notice occurs. However, these factors should at least be considered as crucial inputs when determining the data-security safeguards an entity should implement. Nonetheless, such additional standards would still provide no useful guidance without substantial additional stakeholder participation or the reasoned and thorough discussion of the flexible standard in a formal adjudicatory opinion, policy statement, or advisory opinion.
Moreover, even if the FTC employed formal rulemaking or adjudication, the reasonableness test without explanation as currently relied upon by the agency seems less useful in contexts like data security, where the meaning of "reasonable" remains subject to ongoing technological evolution and prevailing data-protection preferences. This is evident now as society continues to debate the balance of strong privacy protections against the societal benefits of the free-flow of information. n122 And notably, the FTC itself does not seem to consistently define what information is "sensitive," potentially deserving greater protection. n123 Thus, there may be no such thing as "reasonable" privacy and data-security practices until a more satisfactory consensus on these issues emerges.
Given the lack of agreement on what "privacy" is, what data should be protected, and what data-security practices should be used to protect that data, any rule based on "reasonableness" should also include explanation. Otherwise, the rule is entirely arbitrary, and "reasonable" security will be whatever the FTC dictates at that point in time. At any given time, an entity would be unable to determine with precision what data-security practices are "reasonable," and whether it could ensure successful compliance with [Sec.] 5. This situation creates due process challenges and a palpable risk of post-hoc rationalization. For all of these reasons and those laid out above, the agency continues to have a unique opportunity to take up many of the tools it has at its disposal to address the practical problem that businesses face in being unable to determine better what data security measures are required as a matter of law and which practices are simply better or best.
n1 The views contained in this testimony solely represent the views of myself in my individual and private capacity and are not necessarily the views of my firm, our clients, or any particular institution with whom I may be affiliated.
n2 2014 Data Breach Investigations Report,
n3 Notably, some states, such as
n4 See Plaintiff's Response in Opposition to
n5 15 U.S.C. [Sec.] 45 (a)(1) (2006).
n6 Plaintiff's Response in Opposition to
n7 Id. (stating that seventeen of the thirty-six cases brought under the FTC Act alleged unfair practices).
n8
n9
n10 Fair notice is particularly important when courts defer to an agency's interpretation of the scope of its jurisdictional authority. When agencies may define the breadth of their authority under broadly-worded statutes, fair notice may be one of few constraints on arbitrary and capricious agency action. For example, in
n11 In its response to
n12
n13 See e.g.,
n14
n15
n16 Chevron,
n17
n18 Id. (citing Diamond Roofing, 528 F.2d at 649).
n19 See McElroy Elecs. Corp. v.
n20
n21 Id. at 1330-31 (quoting McElroy Elecs., 990 F.2d at 1358).
n22
n23
n24 Id. (finding that notice was provided when the agency had previously cited the defendant for regulation violations).
n25
n26
n27 In the litigation context, the FTC also has not clearly stated what features of its consent orders are legal requirements. The FTC states that certain data security activities must be evaluated, but it does not state that the activities must be implemented. Wyndham FTC Response, supra n. 4, at 19 ("Although every situation is different, the consent orders in these matters provide industry, including
n28
n29
n30 McElroy Elecs.Corp. v.
n31
n32
n33 McElroy Elecs., 990 F.2d at 1363; Satellite Broad., 824 F.2d at 2; Radio Athens, 401 F.2d at 403.
n34n35 15 U.S.C. [Sec.] 45 (a)(1) (2006).
n36 Id. [Sec.] 45 (n).
n37 Letter from the FTC to Hon.
n38 FTC v.
n39 Int'l Harvester, 104 F.T.C. at 1086.
n40 Id. at 954.
n41 FTC v.
n42 In the class action context, plaintiffs have faced obstacles in meeting standing requirements when they argue that data breaches result in a cognizable harm, going so far as to claim that paying for identity theft protection services to preempt identity theft is an economic harm caused by the breach. Lower courts have gone both ways on the standing question. Compare Reilly v.
n43 The uncertainty of consumer injury in the data-protection context, and the difficulties inherent in identifying it, are discussed in the briefs of amici curiae in the Wyndham Case.
n44 15 U.S.C. [Sec.] 45(b)-(c), (g) (2006).
n45 15 U.S.C. [Sec.] 53(a)-(b) (2006).
n46 16 C.F.R. [Sec.] 2.34 (2012).
n47 Section 5(1) of the FTC Act, 15 U.S.C. [Sec.] 45(1) (2006), as modified by Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. [Sec.] 2461 (2006), and Section 1.98(c) of the FTC's Rules of Practice, 16 C.F.R. [Sec.] 1.98 (c) (2012), authorizes a court to award monetary civil penalties of not more than
n48 15 U.S.C. [Sec.] 45(l).
n49 Order Approving Stipulated Order for Permanent Injunction and Civil Penalty Judgment at 1-2,
n50 Id. at 2.
n51 Id. at 7.
n52 15 U.S.C. [Sec.] 57a (a)(1)(B) ("[T]he Commission may prescribe . . . rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce . . . .").
n53
n54 15 U.S.C. [Sec.] 57a(b), (c); see also Brief of Amici Curiae Chamber of Commerce of
n55 Prepared Statement of the
n56 Wyndham FTC Response, supra n. 4, at 19.
n57 Id. at 13.
n58 See also Tech Freedom Brief at 4.
n59 In
n60 Id.
n61 See, e.g.,
n62 In its response to
n63 Complaint at 2-5, In re
n64
n65 Consumer Online Privacy: Hearing Before the S. Comm. on Commerce, Sci., and Transp., 111th Cong. 9-11 nn.20-25 (2010) (testimony of
n66 E.g., Decision and Order at 6-7, In re
n67 See Plaintiff's Response in Opposition to
n68 Wyndham FTC Response, supra n. 4, at 17-18.
n69 Id. at 18-19.
n70 FED. TRADE COMM'N, PROTECTING PERSONAL INFORMATION: A GUIDE FOR BUSINESS, (November, 2011), available at http://www.business.ftc.gov/sites/default/files/pdf/bus69-protecting-personal-information-guide-business_0.pdf.
n71 Id. at 5.
n72 In fact, the troubling constitutional implications of having the government regulate how and what people can say about someone to protect privacy continue to present recurring problems. See, e.g., Bartnicki v. Vopper,
n73
n74 15 U.S.C. [Sec.] 45 (a)(1) (2006).
n75 Id.
n76 Id. [Sec.] 45(n).
n77 See FTC v.
n78 The FTC argues in
n79
n80
n81
n82 More practically, courts have not addressed the question of what types of agency activity should be deemed authoritative for purposes of fairness analysis in ways similar to the analysis of agency deference in Chevron or Mead.
n83
n84 A collection of complaints and consent orders can be found on the FTC's website. Legal Resources, BUREAU OF CONSUMER PROT., http://business.ftc.gov/legal-resources/29/35 (last visited
n85 See TechFreedom Brief at 8 ("Settlements (and testimony summarizing them) do not in any way constrain the FTC's subsequent enforcement decisions . . . [and] unlike published guidelines, they do not purport to lay out general enforcement principles and are not recognized as doing so by courts and the business community.").
n86
n87
n88 FED. TRADE COMM'N, supra n. 70.
n89 FED. TRADE COMM'N, supra n. 70.
n90 The D.C. Circuit reviews "public statements issued by the agency."
n91 Distinguishing between what is required and what is advisory in these guides can be practically impossible without authoritative distinctions between the two, an issue frequently discussed among practitioners and agency staff and management.
n92
n93 See id. at 231.
n94 See id. at 231-34.
n95 Id. at 234;
n96
n97 Thirty-six data-security cases were brought under the FTC Act. Plaintiff's Response in Opposition to
n98 Michael J. Pelgro, Note, The Authority of the
n99 15 U.S.C. [Sec.] 45(l) (2006) ("Any person, partnership, or corporation who violates an order of the Commission after it has become final, and while such order is in effect, shall forfeit and pay to
n100 Id. [Sec.] 53(b) (allowing the court to issue a temporary restraining order, preliminary injunction, or permanent injunction).
n101
n102 FED. TRADE COMM'N, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE 37 (2000) [hereinafter FED. TRADE COMM'N, PRIVACY ONLINE].
n103 Id. (internal quotation marks omitted).
n104 See 15 U.S.C. [Sec.] 1681m(e) (FACTA); id. [Sec.] 6502(b)(1) (COPPA).
n105 See Children's Online Privacy Protection Rule, 78 Fed. Reg. 3972, 3972-73 (
n106 See Children's Online Privacy Protection Rule, 64 Fed. Reg. 59,888, 59,889 (
n107 Rulemaking is not a panacea. Inflexible rules in a fast-changing environment are problematic. However, the FTC can and should provide clear notice on what the law is. Rulemaking is one method to improve such notice. Rules are not inherently bad, and a principles-based data-security legal framework (rather than a detailed data-security standard) would be one workable solution. The FTC has already articulated 36 detailed recommendations in its guidance. FED. TRADE COMM'N, supra n. 70. The FTC has also pointed to the NIST and ISO standards for guidance. Wyndham FTC Response, supra n. 4, at 18. The agency holds companies accountable to some or all of these recommendations in some fashion. Id. at 17-19.
n108 See Tech Freedom Brief at 9-10 (noting the ways in which rulemaking is preferable to case-by-case adjudication as a method of developing agency-enforced law).n109
n110
n111 Prepared Statement of the
n112 Wyndham FTC Response, supra n. 4, at 20. At the same time, the
n113 Id. (quoting
n114 Id.
n115
n116 Compare Complaint for Permanent Injunctive and Other Equitable Relief, FTC v. Wash. Data Res., Inc., No. 8:09-cv-02309-SDM-TBM (
n117
n118
n119
n120 Wyndham FTC Response, supra n. 4, at 22.
n121 FED. TRADE COMM'N, supra n. 70, at 23.
n122 WHITE HOUSE PRIVACY BILL OF RIGHTS, supra n. 112, at 5-6.
n123 In its recent privacy report, "[t]he Commission defines as sensitive, at a minimum, data about children, financial and health information,
Read this original document at: http://oversight.house.gov/wp-content/uploads/2014/07/Stegmaier-Statement-7-24-FTC.pdf
Copyright: | (c) 2010 Federal Information & News Dispatch, Inc. |
Wordcount: | 11701 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News