02 Mar FTC To Face Grilling By 3rd Circ. Over Data Security Powers
Law360, New York (February 27, 2015, 8:55 PM ET) — The scope of the Federal Trade Commission‘s authority will take center stage at the Third Circuit on Tuesday, with questions posed by the appellate panel in advance of the arguments indicating that the regulator faces an uphill battle to fend off Wyndham Worldwide Corp.’s claims that the agency doesn’t have the power to regulate companies’ cybersecurity practices.
The highly anticipated oral argument session, which is slated to kick off on Tuesday morning before a three-judge panel in Philadelphia, will mark the latest step in the appellate court’s interlocutory review of an order issued by U.S. District Judge Esther Salas in April that rejected Wyndham’s contention that the commission does not have the authority under the unfairness prong of Section 5 of the FTC Act to police allegedly lax corporate data security practices.
“This is going to be one of the most important decisions that is going to come down over data security, because it’s really going to determine the jurisdiction of the FTC, which has planted itself as the principal regulator in this area,” said Fox Rothschild LLP privacy and data security practice leader Scott Vernick.
With the potentially game-changing arguments looming, the Third Circuit panel offered some insight into its thinking by taking the unusual step of sending the parties a letter on Feb. 20 that expanded on the pair of questions that Judge Salas had asked the appellate court to consider.
In her June order sending the dispute to the Third Circuit, Judge Salas certified the questions of whether the commission can bring an unfairness claim involving data security under Section 5 and, if so, whether the FTC must formally promulgate regulations before bringing its unfairness claim.
But in its recent letter, the appellate panel asked counsel to be prepared to discuss a slightly different pair of questions during oral arguments, beginning with whether the FTC has declared through the procedures provided in the FTC Act that unreasonable cybersecurity practices are “unfair.”
The panel continued by saying, “Assuming that it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are ‘unfair’ in the first instance, and if so, can the courts do so in this case” brought under the regulator’s authority to enjoin an entity that the commission believes is violating the FTC Act.
“These questions imply that the Third Circuit is still grappling with the question of what authority the FTC has to enforce the prohibition against unfair practices under the FTC Act in the context of cybersecurity,” said Shook Hardy & Bacon LLP data security and data privacy practice co-chair Al Saikali. “The FTC will want to demonstrate that its treatment of Wyndham is consistent with how it has applied the unfair practice prong of the act in the past. If the FTC can’t make the required showing, it will face an uphill battle trying to establish why it now wants to do so for the first time, and it means that the court may need to apply a tougher standard.”
The possibility that the Third Circuit may push back hard on the commission’s long-running assertion that it has broad authority to regulate practices that it deems to be “unfair” is surprising, giving the reception the contention received at the district court level.
In her opinion, Judge Salas strongly endorsed the regulator’s position, saying that an “untenable consequence” of the hotel chain’s argument that the FTC must provide fair notice of what constitutes “unreasonable” data security standards would be that the commission would have to cease bringing all unfairness actions without first proscribing particularized prohibitions, a result that she characterized as in “direct contradiction with the flexibility necessarily inherent” in Section 5.
“Most people have assumed that the FTC would win this case, but this latest inquiry raises some additional doubt about the approach the FTC has been taking in its enforcement activities,” said Wiley Rein LLP privacy practice chair Kirk Nahra.
With its questions, the Third Circuit appears to be pushing for information on the general use of the unfairness doctrine by the commission, and asking whether the FTC is even using that approach in its actions, or if it is asking the court to create something entirely separate, according to Nahra.
“It raises some questions about whether the FTC has been clear in what it is doing, and whether the FTC’s actions can be traced to a specific statutory requirement,” he said. “In my mind, it is raising some new doubts about whether the FTC will win this case.”
By signaling that it is most interested in the hotel chain’s central argument that the unfairness prong does not provide the commission with broad authority to set data security standards, rather than its narrower contention that the FTC has failed to plead facts sufficient to demonstrate a substantial injury to consumers, the appellate panel has given a significant boost to the widespread belief that its ultimate decision will have a seismic impact on the future of data security regulation, according to attorneys.
“If [the Third Circuit] addresses the broader issue of the FTC’s authority, it would mark the first time that a federal appellate court has determined whether the FTC has the authority to bring Section 5 actions based on allegedly inadequate data security practices,” said Kurt Wimmer, chairman of Covington & Burling LLP’s privacy and data security practice. “Although the Third is just one circuit, this would be a highly influential decision — particularly in light of the lack of judicial precedent for the FTC’s privacy and security jurisdiction.”
The second question posed by the appellate panel also raises the less high-profile but equally important question of what role the courts have in regulating data security, especially given the absence of formal guidance from the FTC on the issue, attorneys noted.
“I’m not sure that the court is in any better position than the FTC to make that determination [of what constitutes reasonable data security],” Vernick said. “If you say that the court can, then it’s going to come down to a battle of experts, because the plaintiff is going to put up an expert that says the company did not adhere to the standard of care, and the defendant’s expert will say that the company did.”
However, having the FTC set out proscriptive data security standards in advance of launching enforcement actions, as Wyndham argues it should, may not be the best way to approach the issue either, according to attorneys.
“While it’s technically true that there is a lack of regulation and we don’t know what the standards are, that argument might be overblown,” Vernick said. “A lack of regulation may ultimately be helpful because you don’t risk setting a one-size-fits-all standard for data security that doesn’t fit anybody.”
Wyndham is represented by Eugene F. Assaf, Christopher Landau, Susan M. Davies and K. Winn Allen of Kirkland & Ellis LLP, Douglas H. Meal and David T. Cohen of Ropes & Gray LLP, and Jennifer A. Hradil and Justin T. Quinn of Gibbons PC.
The FTC is represented by its attorneys Joel R. Marcus-Kurn, David C. Shonka Sr. and David L. Sieradzki.
The case is FTC v. Wyndham Worldwide Corp. et al., case number 14-3514, in the U.S. Court of Appeals for the Third Circuit.
–Editing by Katherine Rautenberg and Kat Laskowski.