Understanding the Federal Trade Commission’s (FTC) Cyber Security Expectations
One of the biggest challenges in cyber security litigation today is determining damages. Maybe a hacker breached a company's cyber security and stole your personal information, but were you hurt? Did someone take that information, use it to impersonate you, and generate charges for which you were liable? Did you have to take any steps or expend any sums to remedy the breach? The Federal Trade Commission (FTC) has been thinking about this issue a lot. In September, the Acting Commissioner of the FTC, Maureen K. Ohlhausen, noted that "Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries.” However, this past June, the FTC pursued expansive authority from the Eleventh Circuit Court of Appeals that would empower it to prosecute companies for poor cyber hygiene even if there was no harm to the company's customers. The FTC called this "purely conceptual harm”— or in other words, harm that would have occurred if the stolen data was misused. One Judge likened this expansive view of the FTC's authorities as "A tree fell and nobody heard it—that's the kind of case we have here."
What does this mean for companies trying to protect consumer data? If you're cautious, it means that if your company is hacked, the FTC may choose to prosecute you even if there is no harm to any of your customers. But the FTC also looks at other factors to determine whether you have infringed on its mandate to protect consumers from "unfair or deceptive acts or practices," which is commonly known as Section 5 authority or the Consumer Protection statute. Specifically, don't overhype the cyber protection you offer. If you do, and there is a breach, you could find yourself facing a charge of unfair or deceptive acts or practices. This is the easiest type of FTC action to bring and thus you must be especially careful to accurately disclose the cyber security precautions you actually use.
A step that small to large companies can take is to employ "reasonable" precautions to protect themselves from a hack. What does the amorphous word "reasonable" mean? Unfortunately, it will vary from circumstance to circumstance and change over time as new techniques and technologies move into the marketplace. So it means that you have to keep abreast of what's available to ensure your conduct is reasonable. One simple rule of thumb: more will be expected of large companies with lots of sensitive information about consumers than a small company with hardly any electronic data. A Fortune 500 company should be running cyber related war games, use outside cyber threat intelligence firms and services, liaise with government, and have in-house expertise that can swiftly respond to cyber threats. Others may be able to avoid some of those expenses, but may need to do more employee training, adopt a written cyber security policy, and, among other things, use multi-factor authentication (Ashley Madison and Uber were chastised by the FTC, in part, due to their failure to use multi-factor authentication). At a minimum, you need to find out what your company needs in order to fit within that goldilocks zone of 'just right.'
One final step you can take is to reference the FTC itself. In December 2017, the FTC held a work-shop to discuss what types of injuries suffice to potentially trigger liability under the Consumer Protection statute. The full details, including videos and transcripts of the event, can be viewed here.
Michael Richter is an attorney at the law firm of Skadden, Arps, Slate, Meagher & Flom LLP. He focuses on litigating complex commercial claims and cybersecurity. Prior to practicing law, Michael served as an intelligence officer with the Defense Intelligence Agency and the Office of the Director of National Intelligence. He has written extensively on legal, cyber, intelligence and national security matters for, among others, the Wall Street Journal, the National Law Journal and Law360. He can be reached at Michael.Richter@Skadden.com.