As we have previously observed, banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.
For companies also subject to the FTC’s jurisdiction, the threat of FTC regulation of their cybersecurity policies and procedures became significantly more imminent as a result of the Third Circuit’s August 2015 decision in FTC v. Wyndham Worldwide Corporation. In that case, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act. The prohibition of “unfair” acts or practices in Dodd-Frank is based on the unfairness standard in Section 5.
However, in a more favorable development, the FTC’s Chief Administrative Law Judge recently dismissed the FTC’s complaint against LabMD, Inc., in which the FTC charged that the company engaged in unfair acts or practices in violation of Section 5 by failing to adequately protect consumer data. According to the FTC, the company’s failure to provide reasonable and appropriate security for personal information maintained on its computer networks resulted in two “security incidents.”
For both incidents, the ALJ based its decision to dismiss the complaint primarily on the FTC’s failure to prove the company’s practices were “likely to cause substantial injury to consumers,” as is required by the unfairness standard in Section 5. This was, in large part, because for both incidents, no consumers had been harmed despite the passage of considerable time since the incidents.
This decision marks the rare instance in which a company has successfully challenged an FTC data security action. For more on the decision, see our legal alert.