The Federal Trade Commission (FTC) has developed a well-known penchant for using individually negotiated settlement agreements and consent decrees to announce for the first time what qualifies as “unfair” or “deceptive” conduct under the FTC Act. In the data-privacy arena, FTC views these enforcement actions (and the resulting consent decrees) as a source of “common law” that places the business community on sufficient notice of what data-security practices § 5 of the FTC Act requires.
The U.S. District Court for the Western District of Washington recently ratified that view in a controversial ruling, Veridian Credit Union v. Eddie Bauer. The case arose following a 2016 cyberattack on Eddie Bauer’s network that compromised customers’ payment-card data. Veridian Credit Union, whose cardholders had their data stolen after shopping at Eddie Bauer, brought suit under Washington’s Consumer Protection Act (CPA), which like § 5 of the FTC Act also allows courts to award treble damages to private plaintiffs who are injured by “unfair” or “deceptive” acts. Veridian alleged that Eddie Bauer’s failure to adopt data-security measures that FTC has required in other cases constitutes an “unfair” practice under the Washington CPA.
Although the Washington CPA does not define “unfair” or “deceptive,” Eddie Bauer explained that “unfairness” requires a showing that the defendant’s conduct was likely to cause unavoidable and substantial harm. But any harm in this case was caused by the theft of payment-card information by a malicious third party, not by any conduct of Eddie Bauer’s. The court rejected that view, however, explaining that the Washington legislature based the CPA on § 5 of the FTC Act, which should be liberally interpreted in light of FTC orders.
Under the court’s ruling, even private plaintiffs can now rely on prior FTC enforcement actions and consent decrees to establish liability under state laws that regulate “unfair” or “deceptive” practices. Not only is this approach to treble-damages liability deeply unfair to the businesses victimized by data theft, but it also falls far short of satisfying the legal standard for fair notice. The constitutional requirement that defendants be given fair notice of conduct that can subject them to punishment is deeply rooted in our legal system (and indeed in any system founded on respect for the rule of law) and applies to any defendant—criminal or civil—faced with liability for running afoul of the law.
FTC complaints and consent orders apply only to each targeted company and its unique situation and so are not binding on third parties. The orders routinely point to a large number of factors which, taken together, are said to violate the FTC Act but when taken individually or in some combination may not. The orders leave third-party businesses in the dark as to which factors are most critical or which “failures” were fatal to the settling entity. Indeed, it is widely understood that a consent decree binds only the parties to the agreement. Nor can FTC’s prior consent decrees entered into with third parties somehow substitute for agency rulemaking. Yet lacking any clear rules or regulations for data-security liability, FTC deprives all Americans of “fair notice” of what conduct is forbidden or required under the FTC Act.
FTC’s contention (embraced by the district court action against Eddie Bauer) that agency complaints, consent orders, and Commissioner statements arising from the Commission’s dozens of unfairness actions somehow comprise a body of data-security “common law” to which businesses must conform leaves much to be desired. If anything, imposing liability on the basis of idiosyncratic consent decrees and case-by-case enforcement actions is the antithesis of what historically has been meant by the “common law,” which was understood to be the law common to all the King’s courts throughout England.
By contrast, FTC’s “common law’ is common to no one but the actual party bound by the settlement order. Such private settlements in no way constrain FTC’s future enforcement decisions; unlike formal rulemaking, they do not even purport to lay out general enforcement principles.
To its credit, FTC recently hosted an “informational injury” workshop to receive input from affected stakeholders on the best approach for accurately measuring “injury” in the data-privacy context (click here for WLF’s comments). But the agency still has much work to do to if it is going to provide much needed clarity and certainty to the business community.
Also published by Forbes.com on WLF’s contributor page.