Congress has never conferred authority on the Federal Trade Commission to regulate data security standards. In recognition of this fact, the FTC has previously lobbied Congress to enact law giving it explicit authorization to develop data security standards for business. Nonetheless, the FTC is now asserting both the power to compel businesses to take specific steps to ensure data security and to impose an impossible standard of strict liability. To be sure, in recent years FTC has taken enforcement actions against companies that have suffered data security breaches on the view that businesses are responsible for any data security breach—even if there is no evidence that any consumer has been harmed at all.
In fact, in Federal Trade Commission v. LabMd, the agency brought an enforcement action against a company that was hacked by data security experts who had no intention of stealing data. Instead these hackers sought to compel LabMd to hire their security services—while threatening to report the company to FTC if they should refuse. LabMd took prompt action to address the security issue once it was brought to its attention, but refused to pay-off the hackers. In turn, they followed through on their threat and notified FTC that they had managed to gain access to the company’s data system. And even though there is no evidence that any of LabMd’s customers were ever affected, FTC brought its action on the theory that it has a vague authority to impose an evolving standard of liability on businesses to protect consumer information.
But as NFIB Legal Center argued in a recent amicus brief, there are serious problems with FTC’s theory. Even if a court might infer some degree of regulatory authority over data security, its wholly improper for any government agency to impose an evolving regulatory standard without spelling out precisely what the regulated community must do to comply. Moreover, the Legal Center argues that it is completely unreasonable to expect small businesses to guarantee total data security. That would be an impossible standard. To be sure, we live in an age where we see even the most sophisticated multinational corporations—even federal agencies—falling victim to ever more sophisticated hackings.
Additionally, NFIB Legal Center argues that it would be unreasonable for a government agency to impose a one size fits all standard. To be sure, data security is a complicated not only because it requires technical knowledge of cyber threats, but also because there are numerous variables that must be weighed in developing public policy in this arena. Surely this is one of the reasons why Congress has yet to enact legislation authorizing FTC to regulate data security standards. Indeed, if Congress were to enact law setting data security standards, it would have to weigh competing social, economic and privacy concerns. And it seems unlikely that Congress would entertain the sort of strict liability standard that FTC advocates because that would not only impose unreasonable liabilities on businesses, but would impose unreasonable costs on companies and therefore the economy.
Accordingly, if Congress were ever to act, it would almost certainly allow greater flexibility than FTC’s current approach, in recognition that smaller firms have fewer resources to invest in data security. Congress would also likely spell out different standards for different industries. In any event, should Congress consider legislation in this arena, NFIB would have a seat at the table to ensure that the voice of small business is heard.
For that matter, if FTC is intent on regulating data security, our position remains that the agency should promulgate formal regulations that would allow small business an opportunity to raise concerns. That would at least give fair notice of what exactly the agency believes businesses should be doing to avoid data security problems. And it would also allow for a square fight if we should take issue with FTC’s approach—or its asserted statutory authority. But instead, the agency has chosen to operate in the shadows—bringing selective enforcement actions against businesses for failing to properly anticipate its evolving rules.
As such, the NFIB Legal Center has assumed the role of amicus—providing our support for defendants in several of these cases. At the end of the day we hope that the Eleventh Circuit Court of Appeals agrees with us that FTC lacks authority here, or that its theory of strict liability is wholly unreasonable. Such a holding would create a split in authority among the federal courts, which might well result in the U.S. Supreme Court taking up a case along these lines. Until then, we will continue to fight to protect small business from burdensome and unreasonable regulatory impositions.
*Special thanks to Ronald Raider of Kirkpatrick Townsend & Stockton LLP for his pro bono work on behalf of NFIB Small Business Legal Center in the LabMd case.