The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident. READ MORE
Earlier this month, the U.S. Supreme Court agreed to hear a pair of cases that provide it with the opportunity to severely restrict the Federal Trade Commission’s (“FTC’s”) authority to obtain equitable money relief in consumer protection enforcement actions, including privacy and cybersecurity matters. Under Section 13(b) of the FTC Act, in certain circumstances the FTC is empowered to bring actions in federal court to seek temporary restraining orders and injunctions for violations of the Act. In two consolidated cases, FTC v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. FTC, the Supreme Court will now consider whether, as the FTC claims, this provision also authorizes the agency to seek equitable money relief for such violations, even though the provision makes no mention of money relief. The decision will have broad implications because the FTC has relied on Section 13(b) to seek monetary relief in consumer protection enforcement actions, including privacy and cybersecurity matters. A ruling against the FTC could substantially alter the FTC’s approach to privacy and cybersecurity enforcement.
The FTC’s privacy and cybersecurity enforcement actions typically rely on Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC takes the position that a failure to implement “reasonable” cybersecurity or privacy practices can constitute an “unfair” practice, and that making false or misleading statements about such practices can be a “deceptive” trade practice under the statute.
The FTC can enforce Section 5 in two ways. First, it can rely on its traditional administrative enforcement authority, which allows the FTC to initiate an administrative proceeding to issue an order to “cease and desist” violations of Section 5, but only provides for monetary relief in limited circumstances. Second, in certain situations the FTC can sue directly in federal court under Section 13(b) of the FTC Act. Although Section 13(b) authorizes only “injunctions,” the FTC often brings cases under this section in federal court seeking monetary relief under equitable doctrines such as restitution, disgorgement and rescission of contracts.
Until recently, courts universally accepted the FTC’s expansive view that its authority under Section 13(b) to obtain “injunctions” enables it to seek equitable monetary relief. But that has begun to change. In Credit Bureau, the Seventh Circuit rejected the FTC’s position that Section 13(b) authorizes monetary relief on the ground that an implied equitable monetary remedy would be incompatible with the FTC Act’s express remedial scheme. Most notably, the court observed that the FTC Act has two detailed remedial provisions expressly authorizing equitable money relief if the FTC follows certain procedures. The FTC’s broad reading of Section 13(b) would allow the agency to circumvent these conditions on obtaining equitable money relief, contrary to the intent of Congress. And in AMG Capital Management, although the Ninth Circuit considered itself bound to follow its prior precedent allowing the FTC to obtain money relief under Section 13(b), two of the three panel members joined a special concurrence arguing that this position is “no longer tenable.” And a decision from the Third Circuit last year, while not addressing whether the FTC is barred from pursuing money relief under Section 13(b), held that to pursue such relief the FTC must, at a minimum, allege facts plausibly suggesting that the company “is violating, or is about to violate,” the law.
If the Supreme Court restricts or eliminates the FTC’s pursuit of equitable money relief under Section 13(b), its decision would represent a significant setback for the FTC’s recent attempts to expand its remedial authority in privacy and cybersecurity cases, among others. In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning an FTC cybersecurity enforcement action, convincing the Eleventh Circuit that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019.) In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. The FTC has followed through on that promise in the ensuing years, pursuing a wide range of additional remedies, including equitable money relief. An adverse ruling by the Supreme Court could strike a severe blow to the FTC’s efforts on this front.
Such a ruling is entirely possible. Just last month in SEC v. Liu, the Supreme Court recognized limits on the disgorgement power of the Securities and Exchange Commission, determining that it is restricted to situations where the remedy does not exceed a wrongdoer’s net profits and is awarded for victims. However, unlike the FTC Act, the SEC Act specifically authorizes the SEC to seek “equitable relief.” Therefore, the consolidated AMG and Credit Bureau cases afford the Supreme Court an opportunity to recognize even greater restrictions on the FTC’s authority to obtain equitable money relief under Section 13(b) – or, as the Seventh Circuit did in Credit Bureau, to reject such authority altogether.
While in the short term such a ruling may reduce the monetary risks of FTC privacy and cybersecurity enforcement for companies collecting personal information, it could serve as a catalyst for a legislative proposal that would provide the FTC significant new authority to police privacy and security violations and assess civil penalties.
To discuss these cases in more detail, or for advice on the FTC’s privacy and cybersecurity enforcement program more generally, please feel free to contact any member of our privacy & cybersecurity team, which has immense experience in this area.
The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability.
While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take: READ MORE
On August 21, 2019, the U.S. Court of Appeals for the Seventh Circuit held in FTC v. Credit Bureau Center, LLC, 2019 WL 3940917 (7th Cir. 2019) that the Federal Trade Commission (“FTC”) lacks authority to obtain monetary relief under Section 13(b) of the FTC Act. The FTC has relied on Section 13(b) to seek money relief in consumer protection enforcement actions, including privacy and cybersecurity matters, and had, prior to the Credit Bureau decision, suggested an intent to do so more frequently in the future. READ MORE
Amidst mounting pressure to pursue cybersecurity more aggressively, the Federal Trade Commission (“FTC”), the federal government’s most active enforcer in the space, has recently imposed increasingly stringent cybersecurity requirements in its consent orders. Given that FTC consent orders typically carry 20-year terms and a potential fine of $42,530 (which the FTC may contend applies to each consumer subject to a breach), it is vital for companies faced with an FTC cybersecurity investigation to take every possible step to narrow the scope of relief requested by the FTC. Several recent FTC cybersecurity settlements illustrate an emerging pattern: a company that litigates may secure a better deal than it would have received in an initial settlement, if not defeat the action entirely. But when considering whether to settle or litigate with the FTC, companies must still balance the various legal, business, and reputational risks at stake.
Privacy & Cybersecurity Litigation partner Michelle Visser, counsel David Cohen and associate Nicole Gelsomini authored this blog post for the Washington Legal Foundation on the unsettled state of the law on constitutional standing in privacy and cybersecurity cases in the wake of two recent Supreme Court developments. Constitutional standing challenges are, and will continue to be, an important potential tool for privacy and cybersecurity defendants seeking to dismiss certain class actions brought in federal court. To establish standing, a private plaintiff must show, among other things, that he or she faces an actual or imminent concrete injury from the defendant’s conduct. As explained in the Washington Legal Foundation post, however, the Supreme Court recently passed on two chances to clarify the test that will govern this standing inquiry, leaving defendants to wade through conflicting and ambiguous lower court precedent. The uncertain and nuanced state of this area of law underscores the importance of retaining experienced cybersecurity and privacy defense counsel when faced with this type of suit.
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues. As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE