FCC, FTC Cases Equal Roadmap for What Not to Do

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Oct. 2 — Federal Trade Commission and Federal Communications Commission enforcement cases provide road maps for where the agencies’ interest lies in protecting consumer data privacy, privacy professionals said Sept. 30.

The two agencies are asserting their authority over consumer privacy and security, and in the case of FTC, at least one circuit court has blessed the move, panelists said at an International Association of Privacy Professionals meeting in Las Vegas.

Kathleen Benway, FCC consumer protection assistant bureau chief, said “looking at the cases that we’ve brought and looking at the facts,” is important. “They provide a roadmap of common-sense things that you don’t want to or that you do want to do,” she said.

Laura VanDruff, FTC privacy and identity protection division assistant director, noted that in June the FTC published a guide about lessons learned from its cases.

“It’s as fundamental as thinking about security at the outset, not making it an afterthought,” VanDruff said.

The FTC's Wyndham Case

 

In August, the U.S. Court of Appeals for the Third Circuit upheld the FTC's authority to bring data security enforcement action under the unfairness prong of Section 5 of the FTC Act in a case against hotelier Wyndham Hotels & Resorts LLC.

FTC accused Wyndham of multiple and systemic data security failures that resulted in multiple breaches affecting hundreds of thousands of consumers’ credit card data. In April 2014, the U.S. District Court for the District of New Jersey denied a motion to dismiss by Wyndham, ruling that the FTC has authority under the unfairness prong of Section 5 of the FTC Act to bring a data security enforcement action against the company and doesn't have to issue data security rules. The Third Circuit granted Wyndham's petition for an interlocutory appeal of portions of the district court's opinion.

The appeals court held Wyndham wasn't “entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required.”

One aspect of the decision was an express holding that FTC didn’t have to have specific, concrete rules on the books prescribing what is reasonable as actual rules, said Peter Karanjia, a partner with Davis Wright Tremaine LLP in Washington, and former FCC deputy general counsel.

The FCC Moves Into Data Security 

The FCC has moved to oversee data security issues, an area in which the FTC had already been involved.

AT&T Service Inc. last April agreed to record $25 million data breach fine on FCC enforcement due to actions of call center contractors in Colombia, Mexico and the Philippines accessing U.S. consumer data for purposes of selling the information to third parties to unlock mobile devices.

The FCC in July announced it settled with two telephone companies for $3.5 million for failing to protect customer proprietary network information under Section 201 and 222 of the Communications Act of 1934.

The TerraCom and AT&T data breaches both related to vendors “so it’s really important that you now your vendors and know their practices,” Benway said.

“You’re seeing more and more data security issues that are related to vendors, so I would really highlight that,” Benway said.

No FTC v. FCC Turf Battle

Benway and VanDruff disputed reported turf battles between the FTC and the FCC. The agencies coordinate with each other, the Department of Justice and states attorneys general, VanDruff said. “Coordination is nothing new, headlines notwithstanding,” she said.

Benway said every conference she attends, people raise questions about inter-agency tensions. “The only place sees I ever see that is in the headlines, in the news.”

The FCC's Benway said that consumers are using information all the time and their smartphones are with them all the time, “and this is the area we oversee. So I don’t think that’s unusual we’re expanding in to the privacy arena.”

To contact the reporter on this story: Joyce E. Cutler in San Francisco at jcutler@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com