by Lisa Jose Fales and Jennifer T. Mallon
In January 2006, the Federal Trade Commission (“FTC”) obtained record penalties of $10 million in civil fines and $5 million in consumer redress against ChoicePoint, Inc. (“ChoicePoint”), a data security broker, for compromising the personal financial records of more than 163,000 consumers.2 What is significant about this case is not only the size of the fine, but one of the legal theories upon which the FTC relied – its broad authority granted under the unfairness prong of Section 5 of the FTC Act. ChoicePoint and other data security breach settlements such as the December 2005 settlement with shoe warehouse retailer DSW Inc. (“DSW”) and the June 2005 settlement with BJ’s Wholesale Club. Inc. (“BJ’s”) reflect an overall enforcement strategy in data security breach cases that often either includes an unfairness claim, or, as in the case of DSW and BJ’s, rests exclusively on unfairness.3 The unfairness standard relies on a subjective analysis as to whether the respondent’s data security measures were “reasonable and appropriate to protect personal information and files.”
The “reasonable and appropriate” standard in the data security context is a fluid one, and there is little available specific FTC guidance to companies on how to ensure they meet this standard. Such guidance is sorely needed, given that these cases and ongoing FTC investigations reflect the FTC’s use of its unfairness authority to “create a culture of security.”4 Indeed, at a press conference announcing the settlement with ChoicePoint, FTC Chairman Deborah Platt Majoras underscored:
[T]his penalty tells companies that they must protect sensitive consumer report information. They must guard the front door, that is, their procedures for identifying and verifying customers, as well as guard the back door from hackers and other technological threats. . .
[B]ut if they don’t, then we will step in and we will take action and remind them in the strongest possible way that this is their obligation under the law.5
A practice is unfair if it causes, or is likely to cause, substantial injury to consumers which is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.6 When determining what is reasonable in the data security context, the FTC looks at the totality of the company’s circumstances, including the type and sensitivity of the consumer data at issue, the nature and scope of the company’s business, what others within the industry are doing, and the current state of technology designed to stop breaches. Although “perfection” is not required, it is not at all clear what level of data security is sufficient to satisfy the FTC.7 Companies may look to previous enforcement actions for some guidance, however, there is little specificity in the complaints and orders. As a practical matter, the “reasonableness” criteria present a moving target for companies and it is difficult, if not impossible, for a company to know with certainty whether its own security practices would be deemed reasonable.
In In re BJ’s Wholesale Club, Inc.,8 the FTC alleged that BJ’s lax security compromised thousands of credit and debit cards. As a result of these security breaches, fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, which totaled approximately $13 million according to BJ’s SEC filings.
Specifically, the FTC alleged that BJ’s:
- failed to encrypt customer information stored on computers in BJ’s stores;
- stored customer information for up to 30 days in violation of bank security rules, even though the data was no longer needed;
- stored the information in files that could be accessed using commonly known default user IDs and passwords;
- failed to use readily-available security measures to prevent unauthorized wireless connections to its networks; and
- failed to use measures sufficient to detect unauthorized access to the networks, or conduct security investigations.
In re DSW Inc.9 reveals some of the same data security failures by the shoe retailer. According to the FTC, the company:
- stored sensitive information in multiple files after it no longer needed it for business purposes;
- failed to use readily-available security measures to limit access to its network via wireless access points;
- stored the information in an unencrypted format that was easily accessible with a commonly known user ID and password;
- failed to sufficiently secure the communications between computers on one in-store network to other in-store or corporate networks; and
- failed to implement sufficient measures to detect unauthorized access.
What is reasonable and appropriate data security in the FTC’s eyes is just one issue for companies faced with an unfairness challenge to their data security practices. The second is what constitutes actual or likelihood of substantial consumer injury, an objective test, and a prerequisite to an unfairness finding.10 consider, for example, the injury finding in the DSW complaint. The FTC claimed that some 1.4 million credit and debit cards and almost 100,000 checking accounts were “compromised” and that there were “fraudulent charges on some of these accounts.” (emphasis added.) It also asserted that “some” of the checking account customers “incurred out-of-pocket expenses such as the cost of ordering new checks.” This thin characterization stands in stark contrast to the robust injury discussion in the BJ’s complaint: “[C]ounterfeit copies of [credit and debit] cards were used to make several million dollars in fraudulent purchases. In response, banks and their customers cancelled and re-issued thousands of credit and debit cards that had been used at [BJ’s] stores, and customers holding these cards were unable to use their cards to access credit and their own bank accounts.”
The FTC’s desire to eliminate the requirement of actual or likelihood of consumer injury in data security cases is one of the justifications the Commission offered last June when it asked Congress to extend the FTC’s Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act (“GLBA”).11 The Safeguards Rule requires financial institutions to implement appropriate safeguards to protect the security and integrity of their customer information.12 The FTC asked Congress to extend this requirement to all companies within its jurisdiction. In its testimony, the FTC acknowledged that it is hindered in data security breach investigations because of the injury requirement.13
Other justifications the FTC provided to Congress for the extension of the Rule to all companies within its authority include: (1) the extension would legally require companies to implement reasonable security measures in advance of a breach; (2) it would help to create a “culture of security” in business; (3) it would put business on notice that they must comply with the law and they would work with the legal advisors to ensure compliance; (4) it could assist in cross-border enforcement; and (5) the extension could create higher fines for violators.14 Despite these justifications for the need to extend the Safeguards Rule, the FTC has made it abundantly clear through its use of unfairness that in effect all companies within its jurisdiction are already bound by the Safeguards Rule requirements. Indeed, the consent orders with ChoicePoint, DSW, and BJ’s require the companies to implement a privacy program containing “administrative, technical, and physical safeguards appropriate to the [company’s] size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers.”15 The consent orders also outline the specific measures that the company should take. These requirements mirror the language of the Safeguards Rule.16
Based on the FTC’s recent security breach investigations, consent orders, Congressional testimony, speeches and press conferences, it is clear that the Commission will continue to exert its broad authority to investigate corporate security breaches under its unfairness standard. Given this aggressive approach, companies and their counsel are well advised to read the “tea leaves” of FTC enforcement actions in this arena to glean any guidance they can on what constitutes “reasonable and appropriate security measures.” An extension by Congress of the Safeguards Rule would mean that the FTC would not have to prove substantial consumer injury resulting from the breach. Practically speaking, however, such an extension would not reflect a seismic shift in how the FTC currently views companies’ obligations to secure consumer and employee sensitive information.