FTC To Face Grilling by 3rd Circ. Over Data Security Powers

February 27, 2015 – In The News

Scott L. Vernick was quoted in the Law360 article, “FTC To Face Grilling by 3rd Circ. Over Data Security Powers.” Full text can be found in the February 27, 2015, issue, but a synopsis is below.

On Tuesday, March 3, the scope of the Federal Trade Commission’s authority will take center stage before a three-judge panel in Philadelphia.

Questions posed by the appellate panel in advance of the arguments indicate that the regulator could face a tough battle in trying to fend off Wyndham Worldwide Corp.'s claims that the agency doesn’t have the authority under the unfairness prong of Section 5 of the FTC Act to regulate companies’ cybersecurity practices.

"This is going to be one of the most important decisions that is going to come down over data security, because it's really going to determine the jurisdiction of the FTC, which has planted itself as the principal regulator in this area," said Scott L. Vernick, a noted privacy attorney.

Among the questions posed by the appellate panel is what role the courts have in regulating data security, especially given the absence of formal guidance from the FTC on the issue.

"I'm not sure that the court is in any better position than the FTC to make that determination [of what constitutes reasonable data security]," Vernick said. "If you say that the court can, then it's going to come down to a battle of experts, because the plaintiff is going to put up an expert that says the company did not adhere to the standard of care, and the defendant's expert will say that the company did."

But according to Vernick, having the FTC lay out proscription data security standards prior to taking enforcement action, like Wyndham argues it should, may not be the best approach to the issue either.

"While it's technically true that there is a lack of regulation and we don't know what the standards are, that argument might be overblown," he said. "A lack of regulation may ultimately be helpful because you don't risk setting a one-size-fits-all standard for data security that doesn't fit anybody."

Click here to view the full article.