LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District Court for the District of New Jersey sided with the FTC and denied Wyndham’s motion to dismiss the FTC’s complaint. The Court found that Section 5 of the FTC Act permits the FTC to regulate data security, and that the FTC is not required to issue formal rules about what companies must do to implement “reasonable” data security practices. Notably, Wyndham’s data breach involved personal information that included names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes, and did not involve HIPAA-covered Protected Health Information (PHI), so the court did not address the coexistence of data security authority under the FTC Act and HIPAA.
My Fox Rothschild LLP colleague, Todd Rodriguez, recently posted a blog describing the new HIPAA “Security Risk Assessment Tool” (SRA Tool) developed by the Department of Health and Human Services (HHS) as a collaboration between the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC). The tool, available for download, supplements the detailed Omnibus Rule standards with a practical, hands-on resource entities can use to evaluate the efficacy of their data security practices, and users are asked to provide feedback on the SRA Tool by submitting comments before June 2, 2014.
By contrast, the FTC expects companies to review its enforcement actions and figure out what not to do when it comes to data security practices. As reported by Andrew Scurria in Law360 on March 26, 2014, FTC Chairwoman Ramirez appeared before a Senate Commerce Committee panel and responded to critiques that the FTC has not provided enough guidance to businesses regarding appropriate data security practices. Ramirez referenced the consent decrees resulting from the cases the agency has brought and settled under the unfairness and deception prongs of Section 5 of the FTC Act, and said that companies can “discern” the FTC’s approach to data security enforcement from those.
The recent victory in the Wyndam case may be a sign that the “other” data security sheriff in town, the FTC, will ramp up its enforcement actions and catch more companies that have either been unable to “discern” the FTC’s expectations or to avoid hacking incidents or other security intrusions. Unfortunately, because it does not appear that the FTC will issue any regulatory guidance in the near future about what companies can do to ensure that their data security practices are reasonable, companies must monitor closely the FTC’s actions, adjudications or other signals in an attempt to predict what the FTC views as data security best practices.