Cyber Security: Can't We Just Be Reasonable?

There have been many vehement opinions in the wake of the recent FTC settlements with Equifax and Facebook, but have you ever asked yourself why FTC actions against companies that experience large data/privacy breaches seemingly always end with settlements rather than litigation? While we wait for the inevitable Capital One settlement, we should take some time to formulate our thoughts on what our collective goals are, especially in the cyber security community.

There are several pragmatic reasons why FTC actions end in settlements, but ultimately (for both sides) the uncertainty of litigation simply isn't worth the significant time and cost. FTC settlements are mutual agreements that do not concede liability and thus companies do not admit to any wrongdoing. Plus, the dearth of FTC resources compels efficiency by targeting cases where companies have little defense in light of the facts. This results in out-sized signals by the FTC to other industry stakeholders on what proper data security entails.

David Vladeck, former director of the FTC Bureau of Consumer Protection, has noted that it's rare to “find an FTC data security case where there was a serious argument that the security practice met industry norms. Many of the security lapses were egregious by any measure." But, if the facts are so damning why not pursue litigation as an avenue to clarifying and solidifying data security precedent?

This uncertainty presents a risk on which neither companies nor the FTC seem willing to roll the dice. The official statement of the FTC Chairman and Commissioners regarding the recent Facebook is useful in understanding this conundrum (reorganized for clarity),

"...the Commission started and ended its analysis in pursuit of one goal above all: to obtain the most meaningful relief to best protect the American public. Whether to settle or litigate, and whether to label an individual a “defendant” or not, are potential means to attain this goal—not goals in and of themselves. To evaluate whether we would accomplish our goal, we asked: “Is the relief we would obtain through this settlement equal to or better than what we could reasonably obtain through litigation?” If the answer had been “no,” it would have made sense to aggressively move forward in court. The answer, however, was “yes”—because the relief we have secured today is substantially greater than what we realistically might have obtained by litigating, likely for years, in court. ...In light of our responsibility to be effective stewards of the public resources entrusted to the Commission, it would not have made sense to pursue protracted and expensive litigation likely to yield substantially weaker relief."

"Whether to settle or litigate, and whether to label an individual a “defendant” or not, are potential means to attain this goal—not goals in and of themselves."

"Our colleagues lament that the Order does not do more. For example, they would rather the Order impose more limitations on data collection and use. The argument that “more is better” is certainly appealing, but it relies on a false dichotomy: a hypothetical “more” versus the extraordinary and certain relief the Commission has obtained. As a civil law enforcement agency (and not a regulator), we can only get what we can win in litigation or via hard-fought negotiations (As noted previously, even if the Commission were to succeed at litigation, the types of conduct prohibited or required by a court are constrained by the allegations laid out in the complaint and proven in litigation and what the court considers to be reasonable “fencing-in” relief). ...Courts enjoy a great deal of discretion in assessing civil penalties under the FTC Act, and they often depart, dramatically and downwardly, from the theoretical maximum. The government has only obtained civil penalties of billions of dollars in rare cases involving environmental disasters or large-scale financial fraud."

"The government has only obtained civil penalties of billions of dollars in rare cases involving environmental disasters or large-scale financial fraud."

"Even assuming the FTC would prevail in litigation, a court would not give the Commission carte blanche to reorganize Facebook’s governance structures and business operations as we deem fit. Instead, the court would impose the relief. Such relief would be limited to injunctive relief to remedy the specific proven violations and to prevent similar or related violations from occurring in the future. Thus, it is highly unlikely the Commission could have obtained this magnitude of injunctive relief if we had proceeded with litigation. For example, because we do not, and could not, allege and prove that Facebook’s current Board structure is illegal or that changes in corporate governance are necessary to effectuate compliance with the Order and the FTC Act, it is unlikely that a court would mandate any corporate governance reforms." 

"Thus, it is highly unlikely the Commission could have obtained this magnitude of injunctive relief if we had proceeded with litigation"

"The FTC does not have the authority to regulate by fiat. ...Our 100-year-old statute does not give us free rein to impose these restrictions. In order to serve the public interest and provide real protections for consumers, the Commission must compare settlement options against what it might reasonably obtain through litigation. Litigation would have delayed the imposition of these important consumer protections and, in all likelihood, would have led to reduced deterrence and weaker privacy protections."

"In order to serve the public interest and provide real protections for consumers, the Commission must compare settlement options against what it might reasonably obtain through litigation."

The vast patchwork of regulations and statutes cropping up across states and industries leaves many gaps that ultimately fall under the umbrella of the FTC. Under Section 5 of the FTC Act the Commission can bring action against companies for breaching promises and for any unfair or deceptive act or practice and those definitions have expanded over time. The FTC maintains that it is an unfair practice to fail to implement reasonable security measures, but what does "reasonable" really mean?

What is the substantive, instructive bright-line that we can use to evaluate the facts in the wake of a large scale data breach? The vagueness of what's "reasonable" allows the FTC to rely upon industry best practices to inform their actions and Vladeck has explained that the FTC "looks at the company’s conduct and sees to what extent it measures up to industry standards writ large". Yet, how are companies, their boards, executives, and counsel supposed to interpret this standard - the standard of the de facto data security "regulator" in the country? Given the myriad of frameworks and controls, imagine the court's burden of interpreting this topic. Then imagine what decisions might come of those interpretations and what effects those decisions could have broadly. Taken this way, do FTC settlements, despite their drawbacks, really seem to be the inferior option compared to litigation?

What is the substantive, instructive bright-line that we can use to evaluate the facts in the wake of a large scale data breach?

Given the nature of the Equifax and Facebook settlements - and the resulting rhetoric - what do you imagine we will see in regards to Capital One, months from now? When the dust settles and we know the facts, how will we know if their security efforts were reasonable or not? Is it fair to companies to only tell them what was unfair after something happens? The FTC is rapidly approaching 200 data security and privacy settlements. Is the security industry closer to an agreement on what "reasonable" security means?