On Tuesday, September 27, 2016, the three active commissioners at the Federal Trade Commission (“FTC” or the “Commission”) testified before the U.S. Senate Committee on Commerce, Science, and Transportation regarding the Commission’s use of its authority relating to data security issues. While the hearing covered various topics as part of the Committee’s oversight of the FTC, members of the Committee focused on the FTC’s work in the data security area and appeared skeptical that the Commission was using its authority properly.
Committee Chairman Senator John Thune (R-SD) opened the hearing on this topic, saying that “[w]hen Congress drafted the FTC Act, we took care to ensure the prohibitions of Section 5 would be evergreen. . . . But Section 5’s flexibility does not mean it is open-ended.” Section 5 of the FTC Act (15 U.S. Code § 45) gives the FTC authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” “Unfair” practices are defined in the statute as those that “cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Last year in FTC v. Wyndham Worldwide Corporation, the Third Circuit held that the FTC has authority to regulate “unfair” or “deceptive” cybersecurity practices under Section 5.
FTC Chairwoman Edith Ramirez responded to Senator Thune that, although Section 5 is not open-ended, the FTC needs to use its authority to address data security issues. She testified, “[d]ata security is the most significant challenge we face as a nation.” She further stated that the FTC needs to “use[] its core enforcement authority – Section 5 [ ] – to take action against companies engaged in unfair or deceptive practices involving the privacy and security of consumers’ information.”
Still, Senator Thune expressed concern that the FTC already had expanded its authority to actions that seemingly did not involve tangible monetary harm, such as the FTC’s recent decision to hold LabMD liable for “unfairness” over the purported leak of a patient data file that seemingly did not tangibly harm consumers. In that decision, the FTC explained, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” Senator Thune characterized this decision and reasoning as “extraordinary” and that it raises “serious questions about whether the FTC’s actions are always predicated on substantial injury to consumers.”
Senator Thune asked Chairwoman Ramirez how, under this standard, the FTC decides when a harm is “substantial” enough to justify action, and Chairwoman Ramirez responded that tangible harm is not required for bringing an unfairness action. “There is no limitation on unfairness requiring actual or likely harm that it be economic,” Chairwoman Ramirez testified. “Most of our cases do tend to assert harm that is economic and tangible but there is no restriction, and in a few instances that are appropriate we do feel that it’s proper for the agency to address serious intangible harms like privacy harms that would include infringement and potential revelation of private information such as privacy intrusions.”
Senator Deb Fischer (D-NE) expressed concern with Chairwoman Ramirez’s explanation, stating that she worried that the FTC would use its numerous pages of guidance, which tend to further confuse companies as to the FTC’s requirements, to continue to expand its authority in enforcement actions over data security. Chairwoman Ramirez again tried to alleviate concerns by explaining that the guidance is not binding and “any enforcement action would have to reflect a considered decision by the commission that we have a reasonable belief that applicable law, whether it is the FTC Act or another statute that we enforce, has been violated.”
