In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform. In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.
As we reported last time, on three separate occasions in 2008 and 2009, hackers allegedly accessed and ex-filtrated payment card information belonging to over 619,000 of Wyndham’s guests (reportedly causing some $10.6 million in fraudulent charges) from its corporate network and certain of its independently-owned hotels’ property management systems.
The FTC brought a an enforcement action under the unfairness prong of Section 5 of the FTC Act, alleging that Wyndham’s data security practices “unreasonably and unnecessarily” exposed consumers’ personal data to unauthorized access and theft. (See our discussion in Part I). The FTC complaint also raised a deception claim against Wyndham for misleading statements in its online privacy policies going back to at least 2008. The statements at issue included representations by Wyndham that it protected customer information through “industry standard practices” and “commercially reasonable efforts,” such as “128-bit encryption,” “fire walls” and “other appropriate safeguards.” According to the FTC, however, Wyndham failed to use encryption, firewalls, and a host of other allegedly commercially reasonable methods to secure consumer data. The District Court allowed the FTC’s deception claim, together with its unfairness claim, to proceed past Wyndham’s motion to dismiss.
There is nothing new about the FTC use of Section 5 to police misrepresentations or omissions in consumer-facing statements. Deception claims are standard fare in the 50+ cybersecurity consent decrees that the FTC has obtained to date, as well as in hundreds of other FTC consumer protection actions, most notably in the advertising and marketing context. A recent example is the FTC’s motion for contempt filed against LifeLock for failing to comply with its 2010 consent decree with the FTC and 35 State Attorneys General. Among the alleged violations were misrepresentations that the company protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received indications of problems, and a failure to have maintained a comprehensive information security program to protect customers’ personal information.
- What (and how much) should you publicly state about security? Decide whether detailed statements about your plans, protocols, processes and tools are necessary and generate business value. Avoid overstating your security practices, or implying that a high level of security is applied across the board, when in fact it is applied only to certain portions of the data set. Be thoughtful about the fine line betweentransparency that informs customers on the ways in which you collect, use, share, store and transfer data, and vague language or catch phrases, such as “industry standard security,” “bank-level encryption” or “we do everything we can do to secure your data” that can land a company in hot water.
- How (and how often) do you test your public statements? All consumer-facing representations should be audited no less than twice per year. Reviews should be accelerated as part of privacy-by-design processes any time new products or services will be deployed. And always include the IT/InfoSec team in reviewing and approving all security-related statements together with the privacy and legal team.
- Are reasonable security disclaimers appropriate? Given the constantly shifting cyber threat landscape, virtually any assurance regarding security is susceptible to scrutiny. This is why many companies include blanket disclaimers informing consumers that security measures may change, be unavailable from time to time, or even circumvented by sophisticated actors (e.g., “We cannot guarantee 100% security, and no security is fail proof”). Competent judgment is required to strike a thoughtful balance: any legal benefits that disclaimer language may provide should be weighed against the PR/business impact of being viewed as shifting risk to the consumer.
 See FTC Policy Statement on Deception, appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984).
 See 15 U.S.C. § 45(n).
 As support for the proposition that it could not completely “disentangle” the FTC’s deception and unfairness theories, the Third Circuit cited to a string of administrative decisions in which the FTC has “described deception as a subset of unfairness.”