PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.

FTC 01by Daniel J. Solove

The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015).  The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.

Background

Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security.  Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Deception and unfairness are two independent bases for FTC enforcement.  During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled.  Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.

Among the arguments made by Wyndham, three are most worth focusing on:

FTC PNG 02a(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.

(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.

(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.

The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals.  Here is a very brief overview of the 3rd Circuit’s reasoning.

Continue Reading

Should the FTC Kill the Password? The Case for Better Authentication

title image

Co-authored by Professor Woodrow Hartzog.

Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.

Continue Reading

Understanding the FTC on Privacy and Security

Privacy Training Blog FTC

by Daniel J. Solove

Privacy Awareness Training Blog TRUSTe FTC WebinarI recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security.  The webinar is free and is archived at TRUSTe’s site.

Here is a brief synopsis of the webinar:

For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security.  What are the standards that the FTC is developing for privacy and data security?  What sources does the FTC use for the standards it develops?

A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.

My webinar was written up at the Wall Street Journal.  If you’re interested in seeing it, it’s free and available here.   Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.

Continue Reading

Going Bankrupt with Your Personal Data

title image

By Daniel J. Solove

 

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Health Data Security in Crisis, Phase 2 Audits, and Other HIPAA Privacy + Security Updates

title image

By Daniel J. Solove

Co-authored with Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. We have split the health/HIPAA material from our updates on other topics. To see our updates for other topics, click here.

For a PDF version of this post, and for archived issues of previous posts, click here.

Continue Reading