A few years ago, the Federal Trade Commission wrote a blog post that highlighted key issues companies should expect to be asked about in cyber investigations. Among other things, the FTC explained that the agency looks at “privacy policies and any other promises the company has made to consumers about its security.”1 Indeed, most FTC cyber enforcement cases turn on allegations that a company made misleading statements regarding the type, strength, or even presence of security measures associated with its product or services. Offending statements can appear in a variety of contexts, including privacy policies, terms of service, marketing materials, and even investor-relations materials, just to name a few.
In this vein, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corp.2 is instructive. On three occasions in 2008 and 2009, hackers allegedly exfiltrated payment card data of more than 619,000 Wyndham guests. The FTC brought an enforcement action under the unfairness prong of section 5 of the FTC Act,3 arguing that Wyndham’s security practices “unreasonably and unnecessarily” exposed personal data to unauthorized access and theft. The complaint also raised a deception claim for allegedly misleading statements in the company’s privacy policies. Those policies contained allegedly false representations that data was protected according to “industry standard practices” and “commercially reasonable efforts,” such as using “128-bit encryption,” “fire walls,” and “other appropriate safeguards.”
Private plaintiffs routinely allege that companies not only fail to protect data (thereby resulting in a breach) but deceive consumers in privacy policies with security-related misrepresentations. For example, these types of allegations featured heavily in complaints against Marriott following its 2018 announcement that Starwood databases had been breached starting in 2014 (e.g., “Ultimately, Marriott could and should have prevented the data breach by implementing and maintaining reasonable safeguards, consistent with the representations Marriott made to the public in its marketing materials and privacy statements, and compliant with industry standards, best practices, and the requirements of [ ] State law. Unfortunately, Marriott failed to do so, and as a result, exposed the personal and sensitive data of hundreds of millions of consumers.”)5
We offer the following tips for identifying potential privacy-related cyber exposure points:
- Check What Your Company Publicly States About Security
Be thoughtful about the fine line between transparency that informs customers on the ways in which you collect, use, share, store, and transfer data and vague language or catch phrases—such as “industry standard security,” “bank-level encryption,” or “we do everything we can do to secure your data”—that can land a company in hot water. Decide whether detailed statements about your plans, protocols, processes, and tools are necessary and generate any value. Avoid overstating your security practices or implying that a high level of security is applied across the board if in fact it is applied in more limited circumstances (e.g., subsets of data, data in-transit versus at-rest, applied by the company but unknown for service providers).
- Regularly Refresh Assessments of Publicly Made Statements
All external (consumer-facing) representations should be reviewed no less than twice per year. Reviews should be accelerated as part of privacy-by-design processes any time new products or services will be deployed. Counsel should conduct these reviews as group exercises with mandatory participation by IT/InfoSec and Marketing/e-commerce (which often have first line-of-sight to new tools and technology being considered and deployed).
- Consider Reasonable Security Disclaimers
We regularly see privacy policies that trumpet claims like “Security Guaranteed” and “Bank Level Security” (often by nonfinancial services entities!). Given the shifting cyber threat landscape, virtually any assurance regarding security is susceptible to legitimate scrutiny. This is why many companies include blanket disclaimers that security measures may change, be unavailable from time to time, or even circumvented by sophisticated actors (e.g., “We cannot guarantee 100% security. No security is fail-proof.”). Competent judgment is required to strike a thoughtful balance: Any legal benefits that disclaimer language may provide should be weighed against the PR/ business impact of being viewed as shifting risk to the consumer. And even though disclaimers are not a panacea, they can at least provide arguments regarding what consumers should reasonably expect.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 M. Eichorn, If the FTC Comes to Call, FED. TRADE COMM’N BUS. BLOG (May 25, 2015), www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call.
2 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
3 15 U.S.C. § 45(a).
4 Wyndham, 799 F.3d at 245–46.
5 Complaint, Hiteshew v. Marriott Int’l, Inc., No. 8:18-cv-03755 (D. Md. Dec. 6, 2018).