Breached Companies Fight FTC Complaints
I attended a panel discussion a few weeks ago about an ongoing FTC complaint over a data breach at LabMD. What makes this one interesting is that LabMD is fighting the FTC, rather than agreeing to a consent decree.
The breach was caused by peer-to-peer networking (Limewire), but the thrust of the discussion was how the FTC deals with these privacy issues. Such breaches are prosecuted under FTC “Section 5” (“unfair or deceptive acts or practices”), based on the assumption that by being breached, companies have provided deceptive claims that they were safeguarding customer data appropriately. Because this is civil/business law, not criminal, such actions are not subject to the same strictures that we are used to from TV crime and court shows. The courts have repeatedly ruled that the FTC is “entitled to deference in reasonably interpreting its organic statutes”, which to some extent means it gets to make up the rules as it goes along (this is somewhat overstating things, but it captures the tenor of the issue). And, also unlike criminal cases, the rule of lenity doesn’t necessarily apply.
The fundamental problem is of course that this is such a fast-moving area that the FTC and the law cannot keep up. As a result, there are no solid FTC rules or guidelines, so companies do not feel like they know what they’re required to do. Essentially, the FTC says “Here are past consent decrees, read ’em and figure it out”. So companies try to do their best, and then some new attack hits, and they find themselves at the mercy of the FTC.
As one of the lawyers puts it, “It’s like Mom gets up one day, smacks one of the kids, and says ‘That’s for something you did three weeks ago, and see, kids, don’t do that’”. The LabMD case has followed that pattern: after the breach, the FTC found out and started action against them. Typically, when threatened with large fines, the company opts to settle for a lesser amount, figuring that they wind up ahead.
Even when a company does fight an FTC complaint, there are a bunch of stages that the FTC is guaranteed to win before it winds up in a serious court, so fighting is very expensive in time and money. In the LabMD case, they have already spent $500K just for discovery (a significant amount for a 25-person company). Apparently this expenditure was required just to respond to the FTC, so it’s understandable that the company is not very interested in spending more for something that they feel wasn’t due to their negligence. (There’s another aspect to this, in that the FTC is seen as having allowed Limewire to continue operation for several years with a known and very deceptive feature: when you shared a folder, it silently and automatically shared all subfolders. And Limewire suggested sharing My Documents! But the general problem with FTC data breach enforcement actions is broader.)
The panel made some trenchant comments, including “The way the FTC provides consumer protection now is like providing highway safety by putting crosses at the side of the road where accidents occurred.” That is, at least in the area of data breaches, FTC actions are all after the fact, rather than providing rules or even clear guidance. That leaves it up to the companies to figure out. And that’s a big problem.
Another comment: “Clear but bad law is better than good but unclear law”. In other words, if the law is “bad” (foolish/difficult/whatever), at least you can work to meet it; if it’s unclear, you never know. PCI DSS is an example of a (probably) good law that’s quite clear, vs. HIPAA—which is also probably good, but horribly confusing.
A similar case in which Wyndham Hotels is resisting an FTC complaint is also pending. Wyndham is much larger than LabMD, and has spent $5M on discovery—also just to respond to the complaint.
An article about the Wyndham case states the primary concern succinctly:
The groups accused the FTC of holding breached entities like Wyndham to unfair and arbitrary standards and alleged that the FTC is forcing businesses into lengthy data breach settlements and imposing costly fines for violating security standards the agency hasn’t even formally promulgated.
Back in the 1970s, the FTC was almost dissolved because it was failing its mission. Part of their revised charter states that enforcement has to include clear damages not mitigated by other benefits and not avoidable by the consumer. While of course identity theft falls in that category, void for vagueness/Fair Notice/Safe Harbor doctrines need to be taken into account, and this seems not to be happening. The relationship between companies and the FTC is adversarial, in an arena where neither side really knows what they’re doing yet (again, because it’s evolving too rapidly), and that’s not serving business or consumers efficiently. The FTC is not evil: they’re just overwhelmed and seem to have fallen into this mode of pushing for consent decrees, rather than trying to understand and track the threats and provide useful guidance.
And of course had these companies implemented Voltage SecureData and SecureMail, they might well have avoided the data breaches that led to the FTC actions. As experience has repeatedly proven, the question around data breaches is not “If” but “When”. With proven, end-to-end, data centric protection, breaches are transformed from crisis to annoyance.