Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s (FTC) data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre-Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
Post-Wyndham and LabMD, Congress has paid increased attention to the details of the FTC’s enforcement activities involving data security matters. In Wyndham’s challenge of the FTC’s action, the company argued that the FTC had not provided fair notice of what data security protections a company must employ to comply with Section 5 of the FTC Act. Although Wyndham’s argument did not prevail in court and Wyndham settled with the FTC in 2015, Congressional activity has shown that fair notice remains an issue for certain influential members of Congress. At a Senate hearing last month, Senator John Thune, Chairman of the Senate Commerce Committee, used his opening statement to tell the FTC Commissioners seated before him that that “American merchants are also entitled to fairness and due process when it comes to enforcement.” And, this month, Senators Jeff Flake and Michael Lee, Subcommittee Chairmen for FTC consumer protection and antitrust matters, wrote a letter to the FTC Chairwoman asking a series of detailed questions on how the Commission views its notice standard, including asking what guidance, if any, the FTC has given to small businesses on the notice standard they interpret from the Third Circuit’s ruling in the Wyndham case.
The LabMD case also refocused Congressional oversight of the FTC’s data security actions. In 2014, the Chairman of the House Oversight Committee Darrell Issa sent a letter to the FTC Chairwoman claiming that certain FTC evidence against LabMD was incomplete and inaccurate. The Congressional letter then was submitted to the Administrative Law Judge handling the case, who put the trial on hold while the House committee further investigated the matter. Senator Thune also admonished the Commission at a Senate hearing earlier this month to only bring data security cases based on “unfair” practices when those practices result in monetary, not emotional, injury to consumers – a key distinction that lies at the heart of the LabMD case.
These activities by Congress are significant developments. Based on Wyndham, some members of Congress continue to press the Commission on how it interprets its broad Section 5 statutory authority in the context of data security enforcement actions. In the case of LabMD, Congress has now set a precedent for using its oversight powers to intervene in ongoing data security litigation.
Notably, this Congressional activity also has been actively used by the parties in ongoing litigation. In Wyndham, the company argued unsuccessfully that new data security legislation introduced by Congress supported its contention that the FTC did not provide Wyndham – or any other entity – with fair notice of what data-security protections it must employ. In LabMD, the company is currently seeking to stay enforcement of the FTC’s final order before the Eleventh Circuit, and its motion to stay enforcement cites Senator Thune’s 2016 remarks at the Senate hearing as supporting its conclusion that the Commission’s unfairness authority does not cover intangible harms such as emotional or reputational harm.
One might chalk up the change in focus in Congressional oversight to traditional political dynamics – a Republican Congress pushing back on a Commission led by a Democratic appointee. But, regardless of why Congress changed its posture, these activities are clear attempts to alter the Commission’s data security enforcement path. Stakeholders will want to follow closely how these Congressional activities impact future decisions by the FTC on the types of enforcement actions to pursue and the manner in which these enforcement actions are presented to the courts.