The FTC was recently sued for refusing to turn over information about how the agency decides to bring data security cases. The Freedom of Information Act (“FOIA”) suit by Philip Reitinger, a former Department of Homeland Security official who is now president of a private cybersecurity company, comes just as the FTC is embroiled in two significant data security cases against Wyndham Hotels and Resorts and LabMD Inc. The Wyndham Hotels case is currently pending before the Third Circuit Court of Appeals. The Eleventh Circuit denied LabMD’s appeal to dismiss the FTC’s case earlier this year, and the case is proceeding through an administrative trial. Furthermore, in March 2015, the FTC announced the creation of a new office within the FTC, the Office of Technology Research and Investigation (“OTRI”). The OTRI was created to expand the FTC’s capacity to protect consumers in an age of rapid technological innovation.
In his complaint, Mr. Reitinger contends that “[t]he FTC’s data security activity has increased in recent years and is likely to continue to do so. In light of this increased activity, it is important for the public, including entities subject to the FTC’s data and cybersecurity enforcement, to understand the FTC’s expectation for data security practices and the reasoning for its actions.” Mr. Reitinger brought his suit against the FTC after the agency refused to share its policies for data and cybersecurity pursuant to a FOIA request made by Mr. Reitinger.
The information sought by Mr. Reitinger could potentially help answer central questions as it relates to the Wyndham Hotels appeal and the administrative trial against LabMD. “The FTC has not given notice of what cybersecurity practices are ‘unreasonable,’ ” wrote Wyndham counsel Eugene Assaf, a partner at Kirkland & Ellis, in a brief to the Third Circuit. Wyndham Hotels says it was the victim of an attack by Russian criminal hackers, and that the FTC is pursuing a “novel and legally untenable theory that Wyndham Hotels committed an ‘unfair’ trade practice.” LabMD president and CEO Michael Daugherty said that “If businesses don’t know what the law requires they can’t comply.” Mr. Daugherty also said the FOIA suit “strikes directly to the heart of the matter in LabMD’s battle with the FTC. It must be unconstitutional for a government agency to refuse to disclose what standards and rules apply to a statute.”
In refusing Mr. Reitinger’s FOIA request, the FTC claimed FOIA exemption 5, asserting that all the material is protected by the “deliberative-process privilege.” It also said that FOIA Exemption 7(E) applied, alleging that the documents are also law enforcement guidelines, and that their disclosure could “reasonably be expected to risk circumvention of the law.” But even if the FTC had released the information sought by Mr. Reitinger, is data security amenable to rulemaking given its incredibly rapid growth and development.
The FTC has not proposed any formal rules laying out its data security standards, though it has issued some guidance. Wyndham Hotels’ attorneys argued to the Third Circuit that rulemaking in this area may be impossible because cybersecurity is “one of the fastest changing areas of technology.” If formal rulemaking may be impossible, then how is a company supposed to know what data security practices could get it in trouble? In the Wyndham Hotels and LabMD cases, FTC lawyers have urged those companies to consult the more than 50 data security lawsuit the agency has filed. Those complaints “are akin to policy statements or interpretive rulings, which, though not binding, ‘reflect a body of experience and informed judgment to which courts and litigants may properly resort for guidance,’” the FTC said in its brief to the Third Circuit. Many of the companies that have been sued for data security lapses have settled their charges with the FTC, including Snapchat, Inc., Fandango, LLC, HTC America, Twitter, Inc., and Rite Aid Corp.