FTC Closes 70% of Cyber Security Cases It Opens, but That’s Not All Good News

Dealing with Federal Trade Commission (“FTC”) cyber security standards can be a daunting task, as the FTC enforces cyber security issues under Section 5 of the Federal Trade Commission Act, which prohibits “deceptive” and “unfair” business practices generally.  Beyond that general mandate, however, there are no hard-and-fast guidelines as to what the FTC considers to be “reasonable” by way of cyber security efforts a company may have taken before a breach.  Indeed, the FTC has pointed to at least seven different sources of information as to what a company should do to keep customer and employee data safe:

“[FTC standards] can be found in speeches, business education, Congressional testimony, articles, blog entries, these concepts have been laid out pretty clearly in Commission materials, as well as other FTC settlements in the data security area.”  In re LabMD, Deposition of Daniel Kaufman, Deputy Director, Bureau of Consumer Protection, FTC, May 12, 2014.

Further, the first court to address the issue noted that “the contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’,” referencing “industry standard practices,” as the touchstone for what should be considered reasonable.  See FTC v. Wyndham Worldwide Corp., et al. (DNJ - 2:13-cv-01887-ES-JAD).

Against this backdrop of uncertainty, FTC Commissioner Maureen Ohlhausen has recently revealed that where the FTC begins an investigation into a data breach, it closes 70% of those investigations, based on a finding that the efforts the subject of the investigation took in relation to cyber security were reasonable under the circumstances.  Her comments are here:


This would appear to be good news, and shows that the FTC is looking hard at the facts and circumstances of each case individually.  That being said, the costs and disruption, as well as the potential risk of FTC investigation, can be enormous.  Case in point, the recent $100 million fine Lifelock agreed to pay for violations of a prior stipulated order concerning cyber security failures it had entered into with the FTC.  Even if the FTC is closing the majority of the cases it opens, the lack of clarity as to what standards the FTC will apply when investigating a breach perpetuates the uncertainty to a breached entity inherent in any FTC investigation.

The New US-EU Privacy Shield
DOL’s Changes to the FLSA Salary Test for White Co...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.