One of the most frustrating things about privacy and information security law is the lack of certainty when it comes to acceptable uses and protocols. This piece is intended to explain some of the reasons for the uncertainty, and to highlight a pending case that might shed additional light.
Bills to create nationwide privacy and information security rules seem unable to gain traction in Congress. (Perhaps that will change with the new class of legislators having just been sworn into office.) At present, the United States has no comprehensive privacy statute nor is there a comprehensive set of privacy regulations. Instead, we have a "patchwork" of privacy regulation:
Most privacy laws in the United States are industry-specific and enforced by industry-specific agencies. For example, the federal banking agencies (the FDIC, OCC, FRB, and NCUA) govern financial institutions' handling of financial information, and the Department of Health and Human Services holds healthcare providers responsible for following the health information privacy rules.
At the federal level, the Federal Trade Commission is the agency with the broadest reach to address privacy and information security issues. The FTC has taken the role of filling the gaps left by the patchwork of regulations by pursuing enforcement actions against all sorts of companies for all sorts of privacy-related issues. But from where does the FTC's broad authority over privacy practices come, and how far does it reach? Certain specific federal statutes give the FTC authority over specific issues, like the privacy of children's information on the internet, and credit reports, but what about the FTC's authority over the broad spectrum of privacy-related issues?
Another significant problem with the FTC's broad and ambiguous authority is that the FTC has not been given the explicit authority to write and publish regulations governing privacy and data security generally. As a result, the FTC "regulates by enforcement," meaning the primary way in which we know what will draw the FTC's ire is by looking at the instances in which it has brought enforcement actions in the past and drawing inferences from the court filings and settlement agreements that become public. The obvious problem is that the rules of the game are not given to the players at the outset of the game, and are never made perfectly clear. Only by carefully observing the FTC's public actions and public statements can we begin to infer the kinds of activities that might trigger FTC action. Regulating privacy and information security in this way (after-the-fact punishment based on very broad principles) leaves a lot of room for uncertainty, and many organizations are craving clarity in these areas.
A case pending before the Third Circuit Court of Appeals may result in additional certainty: The FTC brought an enforcement action against Wyndham Hotels following information security lapses by the hotel chain, but Wyndham is fighting back, arguing that the FTC lacks the authority under the FTC Act to bring data security enforcement actions, as well as arguing that the FTC failed to give it fair notice of the security practices the FTC expects. Wyndham further challenges the FTC's claim that its practices were "unfair." (A practice is "unfair" under the FTC Act only if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”)
Because most FTC enforcement actions in this area result in settlement, this is the first time a federal appeals court will be asked to clarify the FTC's role in data security. You can bet privacy and information security lawyers and other InfoSec professionals will be watching this case closely!