Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 1 of 7 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA PHILIP REITINGER, 309 Little Falls St. Falls Church, VA 22046 PLAINTIFF, v. FEDERAL TRADE COMMISSION 600 Pennsylvania Avenue, NW Washington, DC 20580 DEFENDANT. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Civil Action No: ____________ COMPLAINT 1. This is an action under the Freedom of Information Act (“FOIA”), 5 USC § 552, for declaratory, injunctive, and other appropriate relief, to compel the defendant United States Federal Trade Commission (“FTC” or “Commission”) to comply with its statutory obligations under that statute. 2. This lawsuit challenges the failure of the Federal Trade Commission to disclose documents in response to Plaintiff’s November 13, 2014 FOIA Request. Plaintiff seeks agency records describing standards, guidelines, or criteria for what conduct or omission constitutes an unfair act or practice in or affecting commerce authorizing FTC action, and criteria for bringing such an action, under 15 U.S.C. § 45, related to data or cyber security. Defendant has failed to disclose a single record in response to this request. Plaintiff asks the Court to order immediate disclosure of all responsive records. 1 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 2 of 7 JURISDICTION AND VENUE 3. The Court has jurisdiction over this action pursuant to 5 U.S.C. § 552(a)(4)(B) and 28 U.S.C. § 1331. 4. Venue is proper in this district pursuant to 5 U.S.C § 552(a)(4)(B). PARTIES 5. Plaintiff Philip Reitinger is a private citizen residing in Falls Church, Virginia. Mr. Reitinger writes a blog for the Federal Times focused on cyber and data security issues. Mr. Reitinger has an extensive background in privacy and security matters in the private sector. He has also served in government in senior information security and critical infrastructure protections roles, most recently as Deputy Under Secretary of the National Protection and Programs Directorate at the Department of Homeland Security. Currently, Mr. Reitinger is president of VisionSpear, LLC, an information security and privacy company. 6. Defendant United States Federal Trade Commission is an agency of the United States Government within the meaning of 5 U.S.C. § 552(f)(1). The FTC is headquartered at 600 Pennsylvania Avenue, NW, Washington, DC 20580. Defendant has possession, custody, and control of records to which Plaintiff seeks access. STATEMENT OF FACTS 7. Since 2002, the FTC has brought many data security enforcement matters and settled more than fifty of those actions through consent decrees. In its settlements, the FTC has obtained injunctive relief and has also sought or obtained civil money penalties. 8. In the vast majority of these cases, the FTC relies on its authority under Section 5 of the FTC Act, 15 U.S.C. § 45(a)(2), to prohibit “unfair or deceptive acts or practices in or affecting commerce.” In evaluating whether a company has engaged in “unfair or deceptive acts 2 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 3 of 7 or practices” related to data and cyber security, the FTC has stated it uses a “reasonableness” standard. 9. The FTC’s data security activity has increased in recent years and is likely to continue to do so. In light of this increased activity, it is important for the public, including entities subject to the FTC’s data and cyber security enforcement, to understand the FTC’s expectations for data security practices and the reasoning for its actions. 10. While the FTC has made publicly available a guide, “Protecting Personal Information: A Guide for Business,” this guide contains guidelines at only a high level of generality that are out of date, particularly considering the quickly evolving nature of data and cyber security. It is also unclear whether this guide represents the universe of what the FTC considers “reasonable,” and whether and to what extent the FTC relies on it in interpreting “reasonableness.” 11. On November 13, 2014, Plaintiff submitted a FOIA request to Defendant FTC, via the FTC’s web-based form for making such requests, seeking access to the following records: a. Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding standards, guidelines, or criteria for what conduct or omission constitutes an unfair act or practice in or affecting commerce authorizing FTC action under 1-5 USC section 45, where that conduct or omission relates to cybersecurity or data security, including any conduct or omission relating to prevention of, detection of, response to, mitigation of, or recovery from cybersecurity attacks or incidents. b. Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding standards, guidelines, or criteria for what conduct or omission should or may lead the FTC to bring an action related to prevention of unfair acts or practices in or affecting commerce under 15 USC section 45, where that conduct or omission relates to cybersecurity or data security, including any conduct or omission relating to prevention of, detection of, response to, mitigation of, or recovery from cybersecurity attacks or incidents. 3 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 4 of 7 c. Any and all documents including memoranda, communications, decisions, deliberations, and analyses regarding the legality or appropriateness of the material referred to in paragraphs 1 or 2. d. Any communication, including email, notes regarding conversations, or voicemail concerning the material referred to in paragraphs 1, 2 or 3. 12. In this November 13, 2014 request, Plaintiff specified that he was not requesting the “Protecting Personal Information: A Guide for Business (2007),” due to the guide’s limited use and the availability of it on the FTC’s website. 13. In his FOIA request, Plaintiff also sought a waiver of all fees due to his status as a blog writer and because the disclosure is in the public interest, as it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in Plaintiff’s commercial interest. 14. By letter dated November 17, 2014, Defendant acknowledged receipt of Plaintiff’s FOIA request and assigned it the file number FOIA-2015-00184. (Exhibit A, attached hereto). 15. By letter dated December 12, 2014, Defendant informed Plaintiff that it was “unable to respond to [his] request within the statutory 20-business day deadlines as codified in 5 U.S.C. § 552(a)(6)(A)(i)” and that it was invoking an extension for “unusual circumstances,” under 5 U.S.C. § 552(a)(6)(B)(iii) because of a “need to search for and collect the requested records from field facilities or other establishments that are separate from the office processing the request.” (Exhibit B, attached hereto). 16. In an effort to encourage cooperation with the FTC and at the FTC’s request, Plaintiff spoke with Defendant on December 23, 2014 and expressed a willingness to narrow his FOIA request to information regarding FTC’s general policies for data and cyber security enforcement, not material specific to each investigation. In light of the FTC’s complete lack of 4 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 5 of 7 cooperation and disclosure, however, Plaintiff maintains his right to all documents requested in his November 13, 2014 FOIA request. 17. By letter dated December 24, 2014, Defendant denied in full Plaintiff’s FOIA request, alleging that “all [responsive records] are exempt from the FOIA’s disclosure requirements” under Exemption 5 because they are “deliberative and predecisional” or “attorney work-product.” The letter did not make a determination as to Plaintiff’s fee request, asserting it was “moot” because no fees were incurred in processing the request. (Exhibit C, attached hereto). 18. By letter dated January 22, 2015, Plaintiff sent a timely administrative appeal of Defendant’s denial of the request. (Exhibit D, attached hereto). In his appeal, Plaintiff asserted that the information requested “is releasable under FOIA and may not validly be protected by any of the Act’s exemptions.” Plaintiff further noted that “[n]o documents were provided, even in redacted form, and the FOIA requires agencies to provide requesters with any reasonably segregable, non-exempt portions of the records that are responsive to FOIA.” Additionally, Plaintiff explained that “disclosure of appropriate standards and guidelines would further the public interest by fostering additional implementation of such guidelines by appropriate entities. Absent such standards and guidelines, entities are left to divine requirements from ad hoc agency action.” 19. By letter dated February 19, 2015, Defendant affirmed its denial of Plaintiff’s request. (Exhibit E, attached hereto). In its denial, Defendant claimed FOIA Exemption 5 applied, asserting that all responsive documents “consist entirely of material protected by the deliberative process privilege,” and contain no releasable information “reasonably segregable” from the privileged material. Defendant further claimed that FOIA Exemption 7(E) applied, 5 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 6 of 7 alleging that the documents are also law enforcement guidelines, disclosure of which could reasonably be expected to risk circumvention of the law. 20. Based on Defendant’s February 19, 2015 response, Defendant has denied Plaintiff’s January 22, 2015 administrative appeal, and, therefore, Plaintiff has exhausted all administrative remedies with respect to his November 13, 2014 FOIA request. 5 U.S.C. § 552(a)(6)(A)(ii). COUNT I (Violation of FOIA, 5 U.S.C. § 552) 21. Plaintiff realleges paragraphs 1 through 20 as if fully stated herein. 22. The FTC is subject to the FOIA requirements. 5 U.S.C. § 552(f)(1). 23. In responding to Plaintiff’s FOIA Request, Defendant FTC violated FOIA by failing to disclose agency records to Plaintiff that must be disclosed pursuant to FOIA. 24. Defendant’s unlawful withholding of records requested by Plaintiff violates FOIA, 5 U.S.C. § 552(a)(3)(A), by, inter alia, seeking to withhold all agency records under Exemptions 5 and 7(E), without adequately describing the documents withheld, without establishing a factual or legal basis for the application of these exemptions to the responsive agency documents, and without performing a sufficient segregability analysis to justify withholding nonexempt portions of the records, which should be disclosed as reasonably segregable from exempt portions. 25. The FTC’s failure to disclose agency records as required by law is preventing Plaintiff and the public from learning about FTC’s standards and expectations for reasonable security practices, which would allow the public to evaluate FTC’s actions and would assist entities in their implementation of such guidelines and data security practices. 6 Case 1:15-cv-00725-APM Document 1 Filed 05/13/15 Page 7 of 7 26. Plaintiff is entitled to injunctive relief compelling the release and disclosure of the requested agency documents. WHEREFORE, Plaintiff respectfully requests that the Court: 1. Enter an Order declaring that the FTC: a) must immediately produce all wrongfully withheld, non-exempt agency records that are responsive the Plaintiff’s FOIA request. 5 U.S.C. § 552(a)(4)(B); and b) must immediately produce an itemized, indexed inventory of every agency record or portion thereof responsive to Plaintiff’s FOIA request which the FTC asserts to be exempt from disclosure, if any, accompanied by a detailed justification statement covering each refusal to release records or portions thereof in accordance with the indexing requirements of Vaughn v. Rosen, 484 F.2d 820 (D.C. Cir. 1973), cert. denied, 415 U.S. 977 (1974). 2. Award Plaintiff his attorney’s fees and other litigation costs reasonably incurred in this action pursuant to 5 U.S.C. § 552(a)(4)(E); and 3. Award Plaintiff additional and further relief to which he may be entitled. Dated: May 13, 2015 Respectfully submitted, /s/ Michael J. Baratz Michael J. Baratz (DC Bar No. 480607) Stewart A. Baker (DC Bar No. 262071) Steptoe & Johnson, LLP 1330 Connecticut Avenue, NW Washington, DC 20036 (202) 429-3000 mbaratz@steptoe.com sbaker@steptoe.com Counsel for Plaintiff 7