Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them @cyberriskopportunities.com and focallaw.com.

Kip Boyle: So Jake, what are we going to talk about today?

Jake Bernstein: Today Kip, we're going to talk about the FTC's data security regulation and why we always seem to get settlements rather than litigated court outcomes.

Kip Boyle: What a great lawyerly topic. I guess I've been monopolizing the script too much lately. How did this come up?

Jake Bernstein: Well actually Kip, you picked it.

Kip Boyle: All right. Really?

Jake Bernstein: Yes. In fact, the issue was raised by a fellow CISSP named Jacob on LinkedIn. And here's a shout out to Jacob Horn.

Kip Boyle: Hey Jacob, thanks.

Jake Bernstein: And you suggested it would make a good podcast topic. So here we are.

Kip Boyle: Yeah. No, that's true. I just didn't realize it was going to come up in the order in which it did but that's great. So I guess nobody in the audience can blame Jake for creating a law focused episode. I am your partner in crime. All right. Well, lets set things up. So how are we going to do this?

Jake Bernstein: Well, I think I'm going to ask you actually, what made Jacob's LinkedIn info so interesting to you?

Kip Boyle: Well, one of the things I like about it is Jacob is a practitioner and I always enjoy talking to people who are out in the field trying to manage cyber risk. And so anytime somebody who's actually in the field says, "Hey, this is important to me." I automatically counted as being interesting.

And then when I read his LinkedIn article, which is still up there and you can read it too. I thought, wow, this is great. Because settlements just are not as emotionally satisfying as wrap the gavel, you are guilty, and I'm going to punish you stuff seems to be. And maybe that's because I watch too much TV. I don't know.

Jake Bernstein: Oh man, there are so many legal problems with that statement. So first of all-

Kip Boyle: Everybody remember, I'm not a lawyer.

Jake Bernstein: Yes. No, it's true. So anyway as you may expect, I have quite a few thoughts on this whole topic. And yes I am a lawyer, but our listeners may not know that I worked very closely with the FTC for almost a decade in my role as a consumer protection attorney with the Washington State Attorney General's Office.

And actually I practiced the same type of "regulation" that the FTC does using the Washington Consumer Protection Act. Which believe it or not and you may laugh is often referred to as a Baby FTC Act.

Kip Boyle: A Baby FTC. Oh my gosh, I can go so many places with this but I won't. But when you say Washington Consumer Protection Act is that Washington State or Washington D.C.?

Jake Bernstein: Washington State. And every state has some kind of-

Kip Boyle: Okay. So we have the Baby FTC Act here in our state. Okay.

Jake Bernstein: Yeah. And there's actually quite a few Baby FTC Acts around the country.

Kip Boyle: Oh my God, you're just opening the door. You're just baiting me to say things I'm not going to say.

Jake Bernstein: Okay. So let me explain. The operative language of the FTC Act is actually quite short and just to paraphrase it. Unfair, or deceptive acts or practices in trader or commerce are hereby declared unlawful. And what makes a Baby FTC Act like the Washington Consumer Protection Act is that it uses the same language.

And the reason that we say Baby FTC Act is that there are actually other types of Consumer Protection Acts out there among the states. I want to say for some reason, Illinois comes to mind that are not Baby FTC Acts. They're just different. Sometimes they have lists of unfair deceptive after practices, sometimes they have just a largely different structure. But that's why we call it Baby FTC Act.

Kip Boyle: Okay. So very interesting. But is it relevant or important to our audience?

Jake Bernstein: It is. It's very important and relevant. And because there is this misunderstanding out there. And again, shout out to Jacob Horn for valiantly trying to correct it, about the FTC and its powers.

Kip Boyle: Okay, then what's the misunderstanding?

Jake Bernstein: So the FTC is not a regulator in the same sense that say the FDA or the SEC are regulators. Those agencies set detailed rules, which we call regulations hence the terms. And while courts can and do get involved the agencies themselves have a fair degree of power to enforce their own rules and regulations.

Now, the FTC has promulgated a few regulations, but they are really specific and they don't yet relate to security. In fact, some of the more famous ones are, there's a CAN-SPAM regulation that's very specific. And then probably the most important one is the so-called the Telemarketing Sales Rule.

Kip Boyle: Okay. So wait a minute. So Washington State has a Baby FTC Act, but based on what you said now, I'm thinking of the FTC as a baby regulator with respect to the FDA and the SEC. crosstalk interesting.

Jake Bernstein: Yeah. I wouldn't call it a baby regulator. I mean, on the one hand it has a vastly larger purview than either the FDA or SEC. And what I mean by that is that the breadth of industry that it regulates is unparalleled actually. No other regulator has such a broad kind of broad-

Kip Boyle: Landscape.

Jake Bernstein: ... broad authority is what I would say.

Kip Boyle: Broad authority. Okay.

Jake Bernstein: Yeah. But I think when people think about regulations, they do tend to think about very detailed sets of rules that have to be followed.

Kip Boyle: No, that's true. I mean, if you're a publicly traded company, there's books for all of them.

Jake Bernstein: Yeah, exactly. Well they exist whether you're a publicly traded company or not in some cases. So to differentiate, the FTC has called itself and I agree with this, a civil law enforcement agency. And that's pretty much the same thing as state attorney's general. And what it means is that they primarily do their job via investigations and lawsuits.

And I do not want to take our audience down the Administrative Procedure Act and the differences between agency action and court action. But let me just leave it at, it's really complicated and there's a lot of nuance there. But largely FTC does its job by suing companies, that's what it does. And that is quite different in a lot of ways than kind of a typical "regulator," what you think about.

Kip Boyle: Okay. Now, because I'm not a lawyer, you and I have had conversations in the past about law so that I could sort of keep up with you. And one of the things that I learned is that civil lawsuits in that arena, litigation to the bitter end is a rare thing. Am I remembering that right?

Jake Bernstein: That's exactly right. I mean, it's extremely rare actually. I think depending on the state or federal district court you're in, easily more than 90% of all civil lawsuits will settle.

Kip Boyle: Okay. And so what Jacob said in his post is the reason why 90% or more of the civil lawsuits are settling is because of the expense and because of the uncertainty. I mean, both sides really go into it. They know what they want as far as an outcome is concerned, but there's still a lot of uncertainty. I mean, what does the FTC have to lose? I mean, why wouldn't they just fight it to the bitter end? That's what they do, right, that's their job?

Jake Bernstein: So I mean, that is a very fair question and a good point. And when I was at the attorney general's office doing civil law enforcement, this question wasn't just hypothetical, I lived it. And particularly when defendants would sometimes forget that it was my job to bring cases and they would try to scare me away from court. That doesn't work directly.

But what does work in every case is bringing a reasonable defense before the regulator and convincing the regulator that, "Hey, look a court may not agree with you." And that is something that a regulator does not want to deal with because losing ends up being a waste of time, resources, money.

Kip Boyle: And it goes on their permanent record too, doesn't it? I mean, like you lost this. And doesn't that kind of undermine their authority in the future on that issue.

Jake Bernstein: So the answer of course is it depends, but broadly speaking, yes, it does.

Kip Boyle: So they have a lot to lose or they could have a lot to lose.

Jake Bernstein: They do have a lot to lose, yes.

Kip Boyle: Okay. So that's kind of why. Again to answer the question, that's why the FTC wouldn't necessarily find it risk-free to litigate to the bitter end.

Jake Bernstein: It is definitely not risk-free for any regulator to litigate to the bitter end.

Kip Boyle: Okay. Got it. I have to point out that you just used the R word.

Jake Bernstein: Reasonable. Yes, I did. Didn't I? And there's no magic to the concept of reasonableness in the broad sense. And then the idea there is that if what you did or didn't do was reasonable, then a judge is unlikely to say you did something wrong enough to impose liability. crosstalk.

Kip Boyle: Yeah. And in a previous podcast, we talked about how a business decision maker actually has a lot going for them because of the, what did you call it now? The business judgment rule.

Jake Bernstein: Business judgment rule, that's right. Good job, Kip. You've kind of gone through a bit of law school, haven't you?

Kip Boyle: That's what happens when I hang out with people like you. But that tells you that a business actually stands on some pretty good ground already.

Jake Bernstein: It does. And one thing I wanted to point out real quick is the very beginning of this episode, you had said, people they have this emotional reaction, and they kind of want to see the gavel banged against the big desk and a guilty impose.

And I want to point out that in laws and everything, the language and choice of words can make a big difference. And it's important to understand that in civil court, we say liable, we don't say guilty or not guilty.

Kip Boyle: Hollywood is so much more fun.

Jake Bernstein: Yeah. Well, it is. So guilty and not guilty is for criminal court. You're guilty or not guilty of a crime. And if you think about it, that's a binary status, right?

Kip Boyle: Yeah. I mean, because then you're in prison or you're not in prison. I mean, it's a big life changer.

Jake Bernstein: Exactly. Now, contrast that to liability. Okay. So one week I could say you're either liable or you're not and that does happen. But more often than not you are liable but the question is how much, and that is a very analog question. You could be liable for $10 or you could be liable for $10 million. So it's not enough to say liable or not, you have to figure out how.

And you could argue that guilty or not guilty and the length of your sentence gets taken into account. That's true. But civil liability, there's always this question of how much. And it comes back to classic ancient tort law. And I don't mean tort like the dessert. I mean the tort crosstalk.

Kip Boyle: You're making me hungry, man.

Jake Bernstein: I know. Tort law as in the negligence standard.

Kip Boyle: Okay. That kind of gets us back on topic, right? Because really a lot of cybersecurity is about were the decision makers negligent or were they reasonable?

Jake Bernstein: Yeah. And what's interesting is that negligence it's really a two part question. Did a duty exist and did the defendant violate that duty? And obviously, I'm oversimplifying. But what you might have noticed is you don't see a lot of cybersecurity lawsuits that get a lot of press about the negligence standard.

And I think that's because one, it's not clear what kind of duties there are for cybersecurity. And when I say duty, I mean a common law duty, meaning something that a judge has said is a duty that can be violated. But the duty of care, it is combined and these concepts will start to collapse. And so the reasonableness standard is basically where we are right now.

Kip Boyle: And that kind of makes this time and the work that we do so interesting, because it's not settled. We can't just go to a book and look it up. I mean, it's being formed.

Jake Bernstein: Yeah, exactly. I mean, honestly if it was... Shout out to you and your book, Fire Doesn't Innovate. Fire law would be pretty darn boring, I would not be in it very long. The question would be, okay, there was a fire? Yep. Did you have sprinklers? Nope. Okay. You're liable.

Kip Boyle: Let me run the checklist.

Jake Bernstein: And that's boring. That's super easy, and boring. And it's so boring and so easy that its all being kind of... That used to take place in court. Now it's done by insurance adjusters.

Kip Boyle: Yeah. And apologies to any attorneys out there that are practicing in fire law. But that's just what it looks like from where we are.

Jake Bernstein: Yeah, exactly. So anyway, where am I going with all of this is the bottom line here is that the FTC can't just declare something to be unlawful. It has to prove in court that a defendant committed one of those unfair or deceptive acts or practices that I mentioned.

And right now in cybersecurity, that means failing to employ reasonable safeguards to protect the confidentiality, integrity, or availability of data, given the type amount and sensitivity of that data in relation to the size, sophistication and capability of the defendant.

Kip Boyle: Don't tell me you memorize that.

Jake Bernstein: I wrote it down. But it is the FTC cyber security standard. That's what they have said, that's kind of how it looks.

Kip Boyle: All right. So the FTC can make allegations about a company cybersecurity practices, but it can't just come out and say you did that wrong.

Jake Bernstein: Right. More properly, that's what it says but so what, until a court agrees?

Kip Boyle: Okay. Or until a settlement.

Jake Bernstein: Well, and that's what I was going to say. So the FTC has to then be able to prove the allegations in court. And just a quick aside, I think there are definitely going to be listeners who wonder, doesn't the court just do what the FTC says because they're both government. And I can assure you on personal experience that this is not the case.

Kip Boyle: Well, you mean the United States, isn't just some kind of monolithic you rub my back, I rub yours thing?

Jake Bernstein: Well, there's a reason that we have a... And I'm trying to think of another example. I don't think there are many other countries where there is a constitutional three independent branches of government and this is why-

Kip Boyle: Civics. I'm in civics class.

Jake Bernstein: You are in civics class. It's super important. If the courts were just part of the executive branch then yeah, who really would expect them to be fair and impartial. They would be on the same side as the FTC. But having experienced this with the independent judiciary, you are as likely to find judges who lean against the government as well as towards it.

Kip Boyle: Okay. So we're back in civics class and we've just gone over the territory here leading up to the question which is why does the FTC settle all its cases and what's at stake for them?

Jake Bernstein: That is a very interesting question. And I can speak to it both as a defense attorney now and as a former civil law enforcer. And there's an old saying in law that bad facts make bad law, and no agency wants to be responsible for creating bad law. Now, it stands to reason that the easiest way to avoid that would be to avoid bad facts. And this is why you see the FTC bring "easy cases." Harkening back to Jacob's, his LinkedIn article.

Kip Boyle: His article. Yeah.

Jake Bernstein: So in theory no rational defendant should litigate "easy case." Easy from the FTCs perspective. So they settle crosstalk.

Kip Boyle: Okay. All right. So that may sense, but I feel like I would like to understand just a little bit more about the phrase you said, bad facts. That sounds confusing because to me a fact is like, that's undisputed. The sun is yellow in the sky or whatever. But then a bad fact is like, okay, well now you're starting to sort of imply some sort of judgment or interpretation of a fact. But what do you really mean when you say a bad fact?

Jake Bernstein: So, bad facts from the perspective of the plaintiff, which means the person who's trying to bring the case.

Kip Boyle: So facts that are not in their favor?

Jake Bernstein: Facts that are in their favor. And sometimes there are... What it's getting at is that under our system of law, there's a lot of it as statutory law, which is written down. But a lot of it is "common law." Which is judge made law, which is law that you kind of glean from how cases happen.

Kip Boyle: Is that also called case law.

Jake Bernstein: It's also called case law, yes.

Kip Boyle: I knew watching all those lawyers shows were going to pay off.

Jake Bernstein: The case law defines the common law is what you-

Kip Boyle: Okay.

Jake Bernstein: So in any event though, if a case has hyper specific facts, then its utility in the future may be very limited. And that's usually not a problem. But when a case has broad facts, then that is more challenging because it's applicability over time is going to be much greater.

And if those facts don't fit with kind of the plaintiff's goals with the litigation, then you can get bad facts. And a good example of that let's say is when you have a defendant who's either not completely rational or who just really believes in their position. And look at what happened when the FTC had litigated against LabsMD.

Kip Boyle: Yep. We've talked about that before.

Jake Bernstein: We have. One could call that a bit of a debacle, really. LabsMD fought, and fought and fought and they won some victories. And those victories do potentially throw the FTC's ability to regulate cyber security issues into question.

And let's contrast that with the very first case that the FTC took up on appeal, which was in cyber security, which was the Wyndham case. And those facts were so bad, I'm sorry. So egregious. They were great facts for the FTC and there was no risk really that they would lose, but the problem crosstalk.

Kip Boyle: Well, it certainly didn't seem like that from Wyndham's point of view because they just went down swinging.

Jake Bernstein: Well it was pathetic really. But the problem with that too, is that from our perspective and we have talked about this before, what did we learn from Wyndham? Like what can you say is the takeaway from Wyndham? And the answer is, well do something, don't be as bad as them. And so it's all very complicated is what I'm getting at.

And with the FTC and settlement you've got a lot of different factors going on here. The FTC doesn't want to bring cases that it might lose because then it could actually have its powers contracted going forward. Then there is also simply an issue of public resources. At the end of the day, these regulators, these civil law enforcement agencies are government entities that are supposed to be serving the public interest.

And do we really want a particular attorney inside one of these agencies to wage a crusade on a pet issue, and use up five years of resources when he could have settled 15 cases in the same time period and gotten something for the consumers during that time period.

Kip Boyle: Yeah. It's interesting, they kind of have the same problem that our audience has where cyber risk managers have more risk coming at them that they could possibly deal with. And so they have to make tough choices about what's a top risk. And then how can I put my limited resources to the best use?

Jake Bernstein: Yeah, exactly. And that is the case I would say for all regulators is that there's probably more violations than they will ever, ever be able to fully deal with. And so they have to decide what cases can we bring that are going to have the greatest impact and benefit the public good. Every once in a while you need to bring a hard case and you know what? Those cases stand out in history.

Standard Oil was immensely important case in the history of antitrust law. There's some tobacco cases related to consumer protection and the Federal Trade Commission in the '70s that were absolutely critical for the development of this law. But those are rare and those become historical events at least to lawyers.

I think to kind of wrap this one up, Jacob's points are very, very good in his LinkedIn article. And I really want dispel this notion that somehow a settlement means that the government gave up.

Kip Boyle: Oh yeah. That's a great point, because settlement does sort of carry that connotation.

Jake Bernstein: Yeah. It does and particularly with respect to the Facebook settlement. There was a lot of complaining about the Facebook settlement. It wasn't enough, it wasn't this, they didn't do enough. Why did they stop? And the fact is that first of all, the Federal Trade Commission brought that fine using an existing consent decree. So right away that makes it a little bit different than a new lawsuit. It was not really a new lawsuit.

And second $5 billion is still the largest consumer protection fine in the history of consumer protection. By a significant margin, orders of magnitude really. And for the FTC to just get that without spending five to 10 years litigating is an immense victory of frankly, legendary proportions among regulators.

The idea that settlement means the government somehow gave up or didn't do enough that's just not accurate. Settlement is how 90% plus of all civil cases get resolved. All it means really is that one side or the other decided that, hey you know what? It's just worth the risk going forward. And then on top of that in settlement, and this is almost counterintuitive. But settlement can sometimes be better for the regulator than actually going through to a lawsuit.

And the reason at is that there's a limit on the type of relief or the type of consequences a court can impose. There's only so many different types of things that can be done, whereas a settlement is an agreement and the two parties can agree to almost anything. And so there's a lot more flexibility and all of it comes down to this negotiation of weighing potential court consequences and costs versus whatever the agency wants.

Kip Boyle: And it's also interesting too. I think something that sort of adds fuel to the fire here is ordinary citizens are just livid at the data breaches and the fact that they can't seem to get compensated adequately for the harm that they feel that they've suffered. And so I think when they hear settlement because of the connotation of a settlement, as in throwing in the towel, giving up. I think that just makes things worse for people's ears.

Jake Bernstein: Yeah. I mean, I can understand that. Now, of course on the other side class actions also always settle. And in fact, I got a check today for over a $100 in a class action. I've started this a little hobby of just filling out the form for every class action notice I get. And people should do that because that's what those things are there for and it becomes relevant.

Kip Boyle: Okay. Now you have some lunch money and I'm going to be looking for an opportunity to help you spend it.

Jake Bernstein: crosstalk.

Kip Boyle: Okay. Well, I hope for our listeners that we've done a good job of answering the question, why does the FTC with respect to cyber security always seem to settle and why we don't get litigated court outcomes? I feel like I know the answer now.

And so that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about the FTC, their status as a civil law enforcement agency and why we see so many settlements instead of court opinions in the cybersecurity arena. We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us @cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.