I splurged and purchased a copy of the transcript of Thursday’s oral argument in FTC v. Wyndham . You can download it here (PDF, 561kB, 186 pp.). Consider it an early holiday gift from PogoWasRight.org to you.
I look forward to reading everyone’s reactions after we’ve all had time to read it. I did a quick read, and here are my first impressions on some of the issues:
I thought Wyndham’s strongest argument was on the fair notice issue. Surprisingly (to me, anyway), Wyndham’s counsel did not seem to know when the FTC first published its guide for businesses. Although Wyndham argued that a guide is not sufficient anyway, and rules providing safe harbor are required, I think their argument would have been even stronger if they were able to show that there wasn’t even a guide at the time of their breaches. FTC’s currently available guide for businesses shows a November 2011 creation date in the metadata, which was three years after Wyndham’s breaches. The FTC had previously created an interactive tutorial in September 2010, but that was still after the breaches. Did they ever publish any stand-alone guide on data security prior to September 2010 that would have been applicable for large businesses like Wyndham? If I were Wyndham’s counsel, that’s something I would have definitely wanted to know before going into court to argue fair notice. That said, I thought Eugene Assaf, Wyndham’s lawyer, was effective when he noted that in other situations, FTC had promulgated rules and the Department of Commerce, DHS and the President had seemingly been able to do what the FTC said it wasn’t feasible to do because of its concern for small businesses:
In addition, as your Honor knows from doing your own research on the Cybersecurity Act and the Executive Order, and again the Court can take judicial notice of the Executive Order by the president, that is done, that is part of the record here, is that the cybersecurity framework lays out in detail certain protocols that they encourage companies to follow. So this goes to the feasibility issue. If you have one executive agency publishing guidelines, and I am sorry they are so small but they are on the slide 51, very interesting, your Honor, if you look at the bold on the right, COBIT, BA, ISP, CCS, TEC.
These are all references to certain hardware and software protocols. So when we talk about fair notice, your Honor, if the FTC had done what the Department of Commerce and the Department of Homeland Security had done, and published certain guidelines, then this would be a far different argument. (Transcript, p. 65)
FTC’s counsel stressed that coming up with one set of rules for data security would might be unduly burdensome for small businesses and that FTC did have the authority to enforce on a case-by-case basis.
Wyndham should be careful what it wishes for. In his argument, Assaf pointed out that the FTC developed rules and regulations for COPPA and other statutes when directed to by Congress, and he argued that they could do the same for the data security but hadn’t. In his response, Kevin Moriarty for the FTC pointed out that the regulations Congress directed the FTC to promulgate gave FTC the [additional] authority to take action against violators even if there was no demonstration of consumer harm. In data security, and without any specific additional authority, the FTC is currently limited to pursuing only cases in which there is significant consumer harm. If Congress authorizes them to go after those with sloppy security even if there is no consumer harm, well, businesses might get the fair notice they claim they have not gotten, but be even more unhappy with the results.
Wyndham’s counsel argued that the FTC misrepresented the harm to consumers by using a $10.6M figure for fraud costs, as consumers have no liability for fraudulent card use even if 600,000 card numbers were stolen. He argued that the FTC’s area is consumer harm, not businesses’ harm, and that FTC had failed to establish a causal link between the security vulnerabilities and deficiencies they noted and the actual harm to consumers. The FTC’s response reflected a broader definition of “harm” than we generally see recognized by courts in data breach lawsuits:
The injury we have alleged in paragraph 40 that is not reasonably avoidable, all the injuries is not reasonably avoidable, include unreimbursed fraud charges, the loss of access to funds as a result of frozen or depleted bank accounts, even if temporary, temporary loss of access to credit, and the cost of reasonable mitigation, and then we also allege injury in the form of time, trouble and aggravation dealing with unwinding this fraud, and with re-establishing recurring payments after the credit cards have to be changed for hundreds of thousands of consumers.
As far as that last point, the time trouble and aggravation, I dispute the characterization as emotional harm, or not covered by the FTC Act. In FTC versus Niovi, which is a Ninth Circuit case, there was a very similar set of circumstances, and the Court found that even if consumers were fully reimbursed or raised on their debit accounts as a result of unfair data security practices by the defendant in that case, even though they were reimbursed, the time, trouble and aggravation of being reimbursed constituted a harm under the FTC Act.
Authority to Enforce Data Security
On the major challenge as to the FTC’s authority in the area of data security, Wyndham came out swinging. As much as Solove and Hartzog have argued that FTC’s privacy jurisprudence is the functional equivalent to a body of common law, Wyndham’s counsel argued that Congress never gave the FTC authority in the area of data security, (some) bills introduced in Congress do not incorporate the FTC as the authority, and if Congress wanted FTC to have the authority, by golly, they would have done so as they did in COPPA and other areas.
FTC’s counsel responded, in part, that they did not need additional authority as their mandate is to protect consumers and breaches due to data security failures harm or injure consumers. Congress’s inaction on data security was a point raised by both sides, but of course, interpreted differently.
Wyndham also argued that consent decrees do not prove that the FTC has the authority to enforce data security:
court after court has said the entering of a consent decree is not a decision on the merits and does not therefore adjudicate the legality of any action by the party thereto, nor is a consent decree a controlling precedent for later Commission action.
Kenwit, on the Federal Trade Commission, courts and FTC have construed consent orders as contracts rather than as binding judicial precedent. The Federal Circuit, consent order does not establish illegal conduct. And so forth. I don’t think there is any Court of Appeals cases suggesting that consent decrees are binding or even persuasive, or even binding on the agencies, yesterday alone other parties. (Transcript, pp 66-67)
Judge Salas was impressive in her preparation for the arguments. At one point, she mentioned doing her own research online to track down a copy of CISPA that had been mentioned in Wyndham’s briefs, but not provided to her.
I don’t think FTC proponents can take too much comfort from her refusal to stay discovery, as that seems to be pretty standard for that district court. And although she indicated she would make every effort to issue her opinion expeditiously, she noted that this case is not likely to be resolved soon:
In this particular matter, I don’t necessarily think that we are going to have a resolution of this case any time soon. And in fact, it will require the Court to resolve some rather hefty, and I think intellectually challenging issues that the Court will wrestle with, and do my best to issue a thoughtful opinion in the near future (p. 185)
So… those are some of my preliminary reactions. I’ll post links to others’ more detailed and lawyerly analyses as they become available.