As I expected, a slew of law firms posted their analyses and commentaries on Judge Salas’s ruling on Wyndham’s motion to dismiss the FTC’s complaint about its data security.
I haven’t linked to most of them, but took note of this commentary by Lance Koonce and Christin McMeley of Davis Wright Tremaine as they take a less FTC-friendly view on the issue of fair notice. They write, in part:
There is a tension between Judge Salas’ rejection of numerous consistent public statements by the FTC disavowing its power as “unconvincing,” discussed above, and the judge’s willingness to accept a patchwork of publications and statements and consent decrees by the FTC as giving fair notice of a discernible standard for reasonable data protection that businesses everywhere must understand and follow. Indeed, the public statements and business guidance brochures can hardly meet the specificity of an interpretive rule or general statement of policy that would be required to go through a rigorous public (and congressional) comment period and give affected businesses an opportunity to conform to the any applicable standard.
[…]
The question is whether this is the manner in which we want our agencies to promulgate guidance for all businesses operating with the jurisdiction of the United States on a topic as important as data security, rather than through formal rulemaking. Moreover, do we want agencies to then be able to bring standalone enforcement actions for violations of that guidance? While it may be possible for scholars to assemble lists of standards from various sources, is this the optimal way for companies to ascertain the applicable standards and apply them on the ground? How thoroughly must a company scour FTC literature, public statements and settlements, and to what extent must every piece of guidance be followed—for instance, is “Privacy by Design” now a requirement that must be followed, and what type of documentation of compliance with that rubric will suffice if the FTC challenge’s a company’s compliance? How will a company ever feel confident that it is providing “FTC-sufficient” protection for its customers’ data?