High Court Deals Blow to Data Privacy Regulations

Like the Kubler-Ross stages of grief, there are multiple stages of data breach. Anger, denial, blame, investigation, litigation, regulation and, ultimately, resignation. This includes possible class action litigation by consumers, banks, vendors, suppliers or others impacted by the failure to adequately protect data, shareholder derivative lawsuits by investors for failure to protect critical corporate assets, payment card industry “fines” (actually, contract penalties) and costs associated with breach notifications and mitigation. One arrow in the government’s quiver has been the possibility of enhanced government regulation. But a U.S. Supreme Court decision on April 21 calls into question the ability of at least one government agency to impose certain sanctions for failures to protect data privacy and security.

In the United States, unlike in Europe or other countries, there is no single comprehensive data privacy law, and only a patchwork of data security laws, typically focused on specific industries (e.g., financial services, healthcare) or specific jurisdictions (e.g., Massachusetts, Utah). As a result, a company’s legal obligations to protect the confidentiality, integrity and availability of data may depend on where that data is located, where the data subject resides or where the corporation regularly conducts business.

Since the 1990s, the U.S. Federal Trade Commission has assumed the ability to regulate both data privacy policies and practices of companies doing business in the U.S., as well as data security policies and practices of many such companies, using a 1914 law which prohibits “deceptive” or “unfair” trade practices, as its legal authority to do so. The same statute which requires the TV commercial for Toy Story’s Buzz Lightyear character to to include the appellation “Not A Flying Toy” is used to justify comprehensive regulation of almost all industries in the United States for data privacy and data security – as if Congress, in the midst of a World War, was actually granting a government agency the authority to regulate data privacy and computer security.

The idea behind the FTC’s authority is that companies that promise consumers that they will protect their privacy or secure their data and fail to do so are committing a “deceptive” trade practice (promising and not delivering), and that companies that make no such express or implied promise may nonetheless be responsible for “unfair” trade practices — that is, unreasonably exposing consumers’ data to exposure, irrespective of any promises made to them. Under this rubric, the FTC has gone after companies like Facebook, Cambridge Analytica, credit reporting agencies and hundreds of others.

Typically, if the FTC decides to proceed with an enforcement action, the case is either litigated or settled, and a typical settlement requires the regulated entity to demonstrate that they have a comprehensive and effective data privacy or data security program with independent third-party oversight and testing, and requires the entity to report the results of such evaluations to the FTC for a period of twenty years. In 2018, a federal appeals court in Atlanta ruled that an equitable order compelling a company to maintain “reasonable” data privacy and security practices was too vague to enforce, curbing the FTC’s use of equitable remedies to compel general privacy or security practices. As a result, the FTC has been going to Court to compel companies to make monetary compensation to “victims” of deficient privacy or data security practices.

And that’s where the problem lies.

Section 5 of the FTC Act gives the agency the authority to regulate unfair and deceptive trade practices. The statute also gives the FTC the authority to start either administrative proceedings or court proceedings and to issue cease and desist orders, to seek civil penalties and obtain an order from a federal district court granting mandatory injunctions and “such other and further equitable relief as they deem appropriate in the enforcement of such final orders of the Commission.” The FTC Act also permits courts in some cases to grant “such relief as the court finds necessary to redress injury to consumers” in cases where someone has engaged in unfair or deceptive conduct, with respect to which the Commission has issued a final cease and desist order applicable to that person.

In Olde England, there were the King’s Bench courts of law and the Ecclesiastical Courts of Justice, each with their own legal authority; but in short, the law courts could award damages and provide punishments (legal remedies) and the justice courts could order people to do things or refrain from doing things (equitable remedies). While these distinctions have been largely abandoned for jurisdictional purposes, a statute which grants the power to seek or obtain equitable remedies (injunctions, cease and desist orders, etc.) does not, but its terms authorize that body or court to issue an award of monetary damages. So in cases of alleged deceptive trade practices, the FTC has been going to court and asking that “victims” of these practices receive damages.

The Supreme Court – in a case unrelated to privacy or security – held that the language and structure of the FTC Act does not permit a court to award monetary damages or compensation unless the FTC has completed an administrative action, ordered the entity to do something (or refrain from doing something), and the damages flow from the violation of the administrative action. The high court held that “[t]he language and structure of [the law] taken as a whole, indicate that the words “permanent injunction” have a limited purpose – a purpose that does not extend to the grant of monetary relief …” This means that, in cases in which they allege violations of privacy or data security that cause “harm” to “victims,” the FTC probably can’t just go into court and demand that the affected company be ordered to compensate these victims.

This may change. Congress is considering legislation (HB 2668) and has held hearings on ways it can give the FTC greater authority to regulate and seek monetary damages in cases of alleged unfair or deceptive practices. So, the blow may not be fatal, and may not be permanent. In the meantime, companies should continue to not only have, but be able to demonstrate that they have comprehensive and workable data privacy and data security programs and practices that provide reasonable security and data privacy, whether the Courts can order monetary damages or not.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark