The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


1 Comment

FTC v. Wyndham Update, Part 2

Update (April 10, 2014): For a more recent update on this case, please see this post.

Since our last update, there has been some interesting activity in the matter concerning the Federal Trade Commission’s (FTC) complaint against Wyndham Worldwide, currently pending before the U.S. District Court for the District of New Jersey, and I thought this might be a good time for an update on these proceedings. This case has drawn considerable attention, mainly due to Wyndham’s challenge of the FTC’s authority to bring a data security enforcement action on unfairness grounds under Section 5 of the FTC Act. The outcome in this matter may very well have a profound effect on the FTC’s ability to regulate data security.

When we last discussed this matter, Wyndham’s motions to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the legal authority to enforce data security standards for private businesses, were before the court. On November 7, 2013, Judge Esther Salas heard oral argument on these motions. Wyndham opened by citing FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), as support for their proposition that the FTC’s data security standards exceeded the agency’s authority. Judge Salas remained skeptical during the hearing, stating that she thought Brown & Williamson was distinguishable.

Wyndham further argued that the FTC’s informal data security guidelines are insufficient, and do not provide fair notice of what is required under Section 5. Wyndham questioned both the FTC’s authority as well as their expertise in this area. The FTC countered by asserting that its data security guidelines, which include best practices and past consent decrees, put businesses on notice of what is required to meet a standard of reasonableness.

Following oral argument, Judge Salas denied Wyndham’s motion to stay discovery proceedings, but did not immediately address Wyndham’s other pending motions to dismiss. On December 27, Judge Salas ordered the parties to submit a supplemental, joint letter brief to the Court, addressing the two outstanding motions to dismiss. The parties filed their joint letter brief on January 21.

In the brief, Wyndham once again argued that the FTC lacks the statutory authority to regulate data security practices for every American company. Wyndham pointed out that Congress has limited the FTC’s data security power to only certain, well-defined areas, citing the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA) as evidence of these boundaries. Wyndham dismissed the FTC’s argument that FCRA, GLBA, and COPPA merely supplement the FTC’s existing data security authority as “revisionist history.”

In addition, Wyndham refuted the theory first raised by the FTC at oral argument, that Congress “understood Section 5 to provide the FTC with general police power over data-security matters,” but enacted FCRA, GLBA, and COPPA “for the limited purpose of freeing the Commission from the need to prove substantial consumer injury in specific contexts” as “a far-fetched reconstruction” of Congressional intent. Wyndham cited the context and legislative history of the FCRA, GLBA, and COPPA as further proof that the FTC is exceeding its authority, stating that Congress enacted these statutes “precisely because it believed that data security was not covered by existing statutory provisions, including Section 5 of the FTC Act.” (emphasis in original).

Finally, Wyndham reasserted that, even if the FTC is correct in its understanding of the statutes, they have not provided businesses fair notice required by the Due Process Clause. Wyndham points out that the “FTC has not published any rules, regulations, or guidelines explaining to businesses what data-security protections they must employ to comply with the FTC’s interpretation of Section 5 of the FTC Act.” This has been a growing concern among U.S. businesses, which face a daily struggle against data breaches and other related information security incidents, and are unsure of what “reasonable data security practices” might mean.

In its section of the brief, the FTC responded by asserting that “Section 5 of the FTC Act applies by its terms to all unfair commercial practices,” and “is not susceptible to a ‘data security’ exception.” The FTC highlighted the recent LabMD and Verizon decisions as supporting their argument for statutory authority.

The FTC also reiterated its position that the FCRA, GLBA, and COPPA permit the FTC to enforce these statutes using “additional enforcement tools,” which differentiate them from the FTC Act. Further, the FTC argues that where the FTC Act “merely authorizes,” the FCRA, GLBA, and COPPA “affirmatively compel the FTC to use its authority in particular ways” in certain contexts, which does not “divest the [FTC] of its preexisting and much broader authority to protect consumers against ‘unfair’ practices.”

Finally, the FTC pointed out that, while the court did not request additional briefing on the due process question, they felt obliged to respond to Wyndham’s claim on this point. The FTC asserted that to follow Wyndham’s argument would “undermine 100 years of FTC precedent,” and would “crash headlong” into Supreme Court precedent regarding Section 5 of the FTC Act.

Of note, the FTC has also been making similar arguments before Congress, where the FTC has expressed its support for new data security legislation. In hearings held before House Energy and Commerce Committee, the FTC emphasized its ongoing efforts to promote data security through civil law enforcement, education, and policy initiatives.

The court accepted parties’ brief and submissions of supplemental authority on January 23, and granted Wyndham’s request to submit a five-page letter brief in order to respond to the substantive issues raised by the FTC’s inclusion of the LabMD and Verizon decisions. Wyndham filed this brief on January 29, citing multiple negative responses to these decisions in the press as evidence of a breach of the “fundamental principles of fair notice” that “imposes substantial costs on business.”

Judge Salas has not yet responded to these arguments, but we will certainly be keeping a very close eye on these proceedings and its implications for the FTC regulation of data security standards.


2 Comments

Before Liftoff, Drones Must Maneuver Through Privacy Laws

Unmanned aerial vehicles, better known as drones, are expected to revolutionize the way companies deliver packages to their customers.  Some also imagine these small aircrafts delivering pizzas to a customer’s home or nachos to a fan at a ballgame.  Researchers are even investigating the possibility of using drones to assist farmers with monitoring their crops.  Before drone technology takes flight, however, it will have to maneuver through privacy laws.

The Federal Aviation Administration (FAA) is the agency charged with developing rules, including privacy rules, for private individuals and companies to operate drones in national airspace.  While the precise breadth of FAA rules is not entirely clear, a framework is beginning to develop.  When the FAA recently announced test sites for drones, it also noted that test site operators must: (1) comply with existing federal and state privacy laws, (2) have publicly available privacy policies and a written plan for data use and retention, and (3) conduct a review of privacy practices that allows for public comment.  When soliciting the public for comment on these test site-privacy rules, the FAA received a wide spectrum of feedback.  This feedback ranged from suggestions that the agency must articulate precise elements of what constitutes a privacy violation, to the federal agency was not equipped (and therefore should not attempt) to regulate privacy at all.  It appears that the FAA settled on a middle ground of requiring drones to comply with existing privacy law, which is largely regulated by individual states.

Accordingly, state privacy laws are likely to be the critical privacy hurdle to commercial drone use.  It appears that only four states have thus far expressly addressed the use of private drones (as distinguished from drones used by public agencies, such as law enforcement).  Idaho and Texas generally prohibit civilians from using a drone to take photographs of private property.  They also restrict photography of any individual – even in public view – by such a drone.  And Oregon prevents drones from flying less than 400 feet above a property of a person who makes such a request.  The fourth state, Illinois, restricts use of drones that interfere with hunting and fishing activities.

As for the other states, they may be simply getting up to speed on the technology.  On the other hand, many of these states have considered or enacted laws restricting use of drones by the police.  Because these laws are silent on the use of private drones, one could argue that these states intentionally chose not to regulate private drones (and accordingly, existing laws regarding use of aircrafts or other public cameras, govern use of private drones).

Even though a state has passed a drone-related privacy law, it may very well be challenged on constitutional or other grounds.  For instance – to the extent they prohibit photography of public areas or objects and people in plain view – the Idaho and Texas laws may raise First Amendment questions.  As described in Hurley v. Irish-American, photographers generally receive First Amendment protection when taking public photos if he or she “possessed a message to be communicated” and “an audience to receive that message, regardless of the medium in which the message is to be expressed.”  Under this test, in Porat v. Lincoln Towers Community Association, a photo hobbyist taking pictures for aesthetic and recreational purposes was denied First Amendment protection.  In contrast, in Pomykacz v. Borough of West Wildwood, a “citizen activist” – whose pictures were taken out of concern about an affair between a town’s mayor and a police officer – was found to have First Amendment protection.  To be sure, however, the Supreme Court has acknowledged that “even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech, provided the restriction are justified without reference to the content of the regulated speech, that they are narrowly tailored to serve a significant governmental interest, and that they leave open ample alternative channels for communication of the information.”  For example, under this premise, some courts have upheld restrictions on public access to crime and accident scenes.  All told, we may see drone users assert First Amendment protection for photographs taken of public areas.

Another future legal challenge may involve the question of who owns the airspace above private property.  In United States v. Causby, the Supreme Court appeared to reject the idea of private ownership of airspace.  More specifically, it held that government aircrafts flying over private land do not amount to a government “taking”, or seizure of private property, unless the aircrafts are so low and frequent that they constitute an immediate interference with enjoyment of the land.  In other words, under Causby, the landowner owns the airspace necessary to use and enjoy the land.  But the Court declined to draw a specific line.  At the moment, it is unclear whether Oregon’s law – restricting drones within 400 feet of a home – is consistent with principle.

Lastly, we may see a legal challenge asserting that certain state privacy laws (such as the Idaho or Texas law or others that disallow drone use altogether) are preempted, or trumped.  Congress’s intent to impliedly preempt state law may be inferred (1) from a pervasive scheme of federal regulation that Congress left no room for the states to supplement, or (2) where Congress’s actions touch a field in which the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on that subject.  Applied here, one could argue that Congress has entrusted the FAA with sole authority for creating a scheme for regulating the the narrow field of national airspace, and drones in particular.  Additionally, the argument goes, the federal government has a dominant interest in regulating national airspace as demonstrated by the creation of the FAA and numerous other aircraft regulations.  Under the preemption line of reasoning, state privacy laws may be better focused on regulating data gathered by the drone rather than the space where the drone may fly or actions the drone may take while in the space (e.g. taking pictures).

All told, before official drone liftoff, companies employing drones will have to wait for final FAA rules on privacy.  Whether these final rules track the test site rules discussed above is not for certain.  Likely, the final rules will depend on the public comments received by the drone test sites.  Assuming the final rules track the test site rules, companies using commercial drones should focus on compliance with the various state privacy laws.  But, as noted above, we may see a constitutional challenge to these laws along the way.  Stay tuned.


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

Recent FTC Actions and Statements Show Continuing Focus on Privacy

The Federal Trade Commission has long taken a lead role in issues of privacy and data protection, under its general consumer protection jurisdiction under Section 5 of the FTC Act (15 U.S.C. §45) as well as specific legislation such as the Children’s Online Privacy Protection Act of 1998 (“COPPA“) (which itself arose out of FTC reports). The FTC continues to bring legal actions against companies it believes have improperly collected, used or shared consumer personal information, including the recent settlement of a complaint filed against Aaron’s, Inc., a national rent-to-own retail chain based in Atlanta, GA. In its October 22, 2013 press release announcing the settlement, the FTC described Aaron’s alleged violations of Section 5:

Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes.

According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites….

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

The FTC’s Consent Order Agreement with Aaron’s includes a prohibition on the company using keystroke- or screenshot-monitoring software or activating the consumer’s microphone or Web cam and a requirement to obtain express consent before installing location-tracking technology and provide notice when it’s activated. Aaron’s may not use any data it received through improper activities in collections actions, must destroy illegally obtained information, and must encrypt any transmitted location or tracking data it properly collects.

The FTC is also continuing its efforts to educate and promote best practices about privacy for both consumers and businesses. On October 28, 2013, FTC Commissioner Julie Brill published an opinion piece in Advertising Age magazine entitled Data Industry Must Step Up to Protect Consumer Privacy. In the piece, Commissioner Brill criticizes data collection and marketing firms for failing to uphold basic privacy principles, and calls on them to join an initiative called “Reclaim Your Name” which Commissioner Brill announced earlier this year.

Brill writes in AdAge:

The concept is simple. Through creation of consumer-friendly online services, Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions.

Improving the handling of sensitive data is another part of Reclaim Your Name. Data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive — relating to health conditions, sexual orientation and financial condition, for example — the data brokers would provide greater transparency and more robust notice and choice to consumers.

For more information on the FTC’s privacy guidance and enforcement, see the privacy and security section of the FTC Web site.


Leave a comment

Insurer has no duty to defend electronic privacy claims under policy containing “Online Activities” exclusion

An insurance policy that covers personal injury liability, with an exclusion for “online activities,” defined, in part, as “providing Internet access to third parties," does not provide coverage for an Web entity’s violations of federal computer privacy laws. Netscape Communications Corp. v. Federal Insurance Co., No. 06-00198, 2007 U.S. Dist. LEXIS 78400 (N.D. Cal. Oct. 10, 2007). The court granted the insurer’s summary judgment motion, ruling that, based upon the policy exclusion, the insurer does not have a duty to defend the insured for lawsuits alleging violations of federal electronic privacy laws stemming from user information gathered for targeted advertising purposes. In construing the policy exclusion, the court determined that the definition of “Internet access” under the exclusion is broader than merely providing an Internet connection and included the plaintiff’s online activities that “facilitated the ability of users to make use of the Internet.”