E-Commerce Law Week, Issue 382

FTC  Hare Continues To Speed Ahead of Congressional Tortoise on Information Security Regulation
When it comes to regulating industry information security practices, Congress and the Federal Trade Commission ("FTC") seem to be reenacting Aesop's fable of the tortoise and the hare.  While Congress plods methodically along with various security-related bills, with nothing likely to be enacted before year's end, the FTC continues to race ahead, setting de facto security standards for industry through enforcement actions based on its general authority to  prevent "unfair . . . acts or practices in or affecting commerce."  15 U.S.C. § 45(a)(1).  On December 1, shoe retailer DSW, Inc., settled FTC charges that the company's data security failures earlier this year -- which had allowed hackers to access the credit card, debit card information of more than 1.4 million consumers and the checking account information of 96,000 customers -- constituted an "unfair practice."  Notably, the case marks only the second time that the FTC has based a data security enforcement action on the FTC Act’s "unfairness" prong (the first being the Commission’s action against BJ’s Wholesalers this past June).  In previous security breach cases, the FTC had based its allegations on the "deceptive practices" prong of the Act -- targeting, for instance, companies that failed to follow their own privacy policies, and thus allegedly deceived customers.  The DSW case, like the BJ’s case before it, demonstrates the FTC’s continuing willingness to take action against companies that do not have a specific statutory obligation to safeguard personal information and have never promised customers that their personal information would be secure in the first place.  In Aesop's fable, the hare gets bored and falls asleep while the tortoise crosses the finish line.  But the FTC is not likely to stop racing ahead unless and until a company refuses to settle and challenges the FTC's statutory authority.

D.C. Circuit Narrows FTC's Jurisdiction Under Gramm-Leach-Bliley
Hear that wind blowing outside?  No, it's not another winter storm.  It's the entire legal profession breathing a collective sigh of relief, as it avoids the FTC's jurisdictional claws under the Gramm Leach Bliley Act (GLBA).  On December 6, the U.S. Court of Appeals for the D.C. Circuit  rejected the FTC’s claim of jurisdiction under the GLBA to regulate law firms as "financial institutions."  American Bar Ass'n v. FTC (No. 04-5257).  The appeals court affirmed a district court ruling that the FTC’s decision to subject attorneys to GLBA privacy requirements "exceeded the statutory authority" of the FTC and "was therefore invalid as a matter of law."  This ruling represents a rare defeat for the FTC in a jurisdictional challenge, and provides a useful reminder that there are indeed limits to the types of activities and entities that are covered by the GLBA.  The D.C. Circuit’s decision also could bode well for any companies that muster the intestinal fortitude to challenge the FTC’s assertion of jurisdiction in other areas, such as its claim that it can effectively enact and enforce industry information security standards under the "unfair practices" prong of the FTC Act (as discussed above).  The American Bar Association case, though not directly relevant to that issue, illustrates just how to frame a successful jurisdictional challenge.

Has Regulation Gotten in the Way of European Innovation?
The United States and the European Union remain the world's two largest markets, but with strikingly different characteristics in various sectors.  For old, traditional goods, the EU's longer history still gives it a decided edge.  For traditional industrial goods, the US and EU are both home to strong companies.  For the business sectors of the information age, on the other hand, the EU can”t hold a candle to the US.  So what's the problem for European information technology business?  Some say that Europe does not have the same risk culture that is exemplified by Silicon Valley venture capitalists.  But another factor, and one that it is linked to attitudes towards risk, is the pervasiveness of European regulation.  While such regulatory actions arguably serve laudable goals – such as protection of consumers, prevention of crime and prevention of copyright infringement – they also all reflect a European perspective that the problems of the Internet can generally be solved by "good regulation," which generally means more regulation.  The overall result seems to be an environment that is not entirely comfortable for innovative business, or that can make the regulatory risks for such business unacceptable.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.