3 Privacy 3 Privacy
3.1 13 U.S.C. § 141 3.1 13 U.S.C. § 141
13 U.S. Code § 141 - Population and other census information
(a) The Secretary shall, in the year 1980 and every 10 years thereafter, take a decennial census of population as of the first day of April of such year, which date shall be known as the “decennial census date”, in such form and content as he may determine, including the use of sampling procedures and special surveys. In connection with any such census, the Secretary is authorized to obtain such other census information as necessary.
(b) The tabulation of total population by States under subsection (a) of this section as required for the apportionment of Representatives in Congress among the several States shall be completed within 9 months after the census date and reported by the Secretary to the President of the United States.
(c) The officers or public bodies having initial responsibility for the legislative apportionment or districting of each State may, not later than 3 years before the decennial census date, submit to the Secretary a plan identifying the geographic areas for which specific tabulations of population are desired. Each such plan shall be developed in accordance with criteria established by the Secretary, which he shall furnish to such officers or public bodies not later than April 1 of the fourth year preceding the decennial census date. Such criteria shall include requirements which assure that such plan shall be developed in a nonpartisan manner. Should the Secretary find that a plan submitted by such officers or public bodies does not meet the criteria established by him, he shall consult to the extent necessary with such officers or public bodies in order to achieve the alterations in such plan that he deems necessary to bring it into accord with such criteria. Any issues with respect to such plan remaining unresolved after such consultation shall be resolved by the Secretary, and in all cases he shall have final authority for determining the geographic format of such plan. Tabulations of population for the areas identified in any plan approved by the Secretary shall be completed by him as expeditiously as possible after the decennial census date and reported to the Governor of the State involved and to the officers or public bodies having responsibility for legislative apportionment or districting of such State, except that such tabulations of population of each State requesting a tabulation plan, and basic tabulations of population of each other State, shall, in any event, be completed, reported, and transmitted to each respective State within one year after the decennial census date.
(d) Without regard to subsections (a), (b), and (c) of this section, the Secretary, in the year 1985 and every 10 years thereafter, shall conduct a mid-decade census of population in such form and content as he may determine, including the use of sampling procedures and special surveys, taking into account the extent to which information to be obtained from such census will serve in lieu of information collected annually or less frequently in surveys or other statistical studies. The census shall be taken as of the first day of April of each such year, which date shall be known as the “mid-decade census date”.
(e)
(1) If—
(A) in the administration of any program established by or under Federal law which provides benefits to State or local governments or to other recipients, eligibility for or the amount of such benefits would (without regard to this paragraph) be determined by taking into account data obtained in the most recent decennial census, and
(B) comparable data is obtained in a mid-decade census conducted after such decennial census,
then in the determination of such eligibility or amount of benefits the most recent data available from either the mid-decade or decennial census shall be used.
(2) Information obtained in any mid-decade census shall not be used for apportionment of Representatives in Congress among the several States, nor shall such information be used in prescribing congressional districts.
(f) With respect to each decennial and mid-decade census conducted under subsection (a) or (d) of this section, the Secretary shall submit to the committees of Congress having legislative jurisdiction over the census—
(1) not later than 3 years before the appropriate census date, a report containing the Secretary’s determination of the subjects proposed to be included, and the types of information to be compiled, in such census;
(2) not later than 2 years before the appropriate census date, a report containing the Secretary’s determination of the questions proposed to be included in such census; and
(3) after submission of a report under paragraph (1) or (2) of this subsection and before the appropriate census date, if the Secretary finds new circumstances exist which necessitate that the subjects, types of information, or questions contained in reports so submitted be modified, a report containing the Secretary’s determination of the subjects, types of information, or questions as proposed to be modified.
(g) As used in this section, “census of population” means a census of population, housing, and matters relating to population and housing.
3.2 13 U.S.C. § 9 3.2 13 U.S.C. § 9
13 U.S. Code § 9 - Information as confidential; exception
(a) Neither the Secretary, nor any other officer or employee of the Department of Commerce or bureau or agency thereof, or local government census liaison, may, except as provided in section 8 or 16 or chapter 10 of this title or section 210 of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 or section 2(f) of the Census of Agriculture Act of 1997—
(1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or
(2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or
(3) permit anyone other than the sworn officers and employees of the Department or bureau or agency thereof to examine the individual reports.
No department, bureau, agency, officer, or employee of the Government, except the Secretary in carrying out the purposes of this title, shall require, for any reason, copies of census reports which have been retained by any such establishment or individual. Copies of census reports which have been so retained shall be immune from legal process, and shall not, without the consent of the individual or establishment concerned, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding.
(b) The provisions of subsection (a) of this section relating to the confidential treatment of data for particular individuals and establishments, shall not apply to the censuses of governments provided for by subchapter III of chapter 5 of this title, nor to interim current data provided for by subchapter IV of chapter 5 of this title as to the subjects covered by censuses of governments, with respect to any information obtained therefor that is compiled from, or customarily provided in, public records.
3.3 Pub. L. 105–119, Title II, § 209 (Nov. 26, 1997) 3.3 Pub. L. 105–119, Title II, § 209 (Nov. 26, 1997)
(a) Congress finds that—
(1) it is the constitutional duty of the Congress to ensure that the decennial enumeration of the population is conducted in a manner consistent with the Constitution and laws of the United States;
(2) the sole constitutional purpose of the decennial enumeration of the population is the apportionment of Representatives in Congress among the several States;
(3) section 2 of the 14th article of amendment to the Constitution clearly states that Representatives are to be “apportioned among the several States according to their respective numbers, counting the whole number of persons in each State”;
(4) article I, section 2, clause 3 of the Constitution clearly requires an “actual Enumeration” of the population, and section 195 of title 13, United States Code, clearly provides “Except for the determination of population for purposes of apportionment of Representatives in Congress among the several States, the Secretary shall, if he considers it feasible, authorize the use of the statistical method known as ‘sampling’ in carrying out the provisions of this title.”;
(5) the decennial enumeration of the population is one of the most critical constitutional functions our Federal Government performs;
(6) it is essential that the decennial enumeration of the population be as accurate as possible, consistent with the Constitution and laws of the United States;
(7) the use of statistical sampling or statistical adjustment in conjunction with an actual enumeration to carry out the census with respect to any segment of the population poses the risk of an inaccurate, invalid, and unconstituional census;
(8) the decennial enumeration of the population is a complex and vast undertaking, and if such enumeration is conducted in a manner that does not comply with the requirements of the Constitution or laws of the United States, it would be impracticable for the States to obtain, and the courts of the United States to provide, meaningful relief after such enumeration has been conducted; and
(9) Congress is committed to providing the level of funding that is required to perform the entire range of constitutional census activities, with a particular emphasis on accurately enumerating all individuals who have historically been undercounted, and toward this end, Congress expects—
(A) aggressive and innovative promotion and outreach campaigns in hard-to-count communities;
(B) the hiring of enumerators from within those communities;
(C) continued cooperation with local government on address list development; and
(D) maximized census employment opportunities for individuals seeking to make the transition from welfare to work.
(b) Any person aggrieved by the use of any statistical method in violation of the Constitution or any provision of law (other than this Act), in connection with the 2000 or any later decennial census, to determine the population for purposes of the apportionment or redistricting of Members in Congress, may in a civil action obtain declaratory, injunctive, and any other appropriate relief against the use of such method.
(c) For purposes of this section—
(1) the use of any statistical method as part of a dress rehearsal or other simulation of a census in preparation for the use of such method, in a decennial census, to determine the population for purposes of the apportionment or redistricting of Members in Congress shall be considered the use of such method in connection with that census; and
(2) the report ordered by title VIII of Public Law 105–18 and the Census 2000 Operational Plan shall be deemed to constitute final agency action regarding the use of statistical methods in the 2000 decennial census, thus making the question of their use in such census sufficiently concrete and final to now be reviewable in a judicial proceeding.
(d) For purposes of this section, an aggrieved person (described in subsection (b)) includes—
(1) any resident of a State whose congressional representation or district could be changed as a result of the use of a statistical method challenged in the civil action;
(2) any Representative or Senator in Congress; and
(3) either House of Congress.
(e)
(1) Any action brought under this section shall be heard and determined by a district court of three judges in accordance with section 2284 of title 28, United States Code. The chief judge of the United States court of appeals for each circuit shall, to the extent practicable and consistent with the avoidance of unnecessary delay, consolidate, for all purposes, in one district court within that circuit, all actions pending in that circuit under this section. Any party to an action under this section shall be precluded from seeking any consolidation of that action other than is provided in this paragraph. In selecting the district court in which to consolidate such actions, the chief judge shall consider the convenience of the parties and witnesses and efficient conduct of such actions. Any final order or injunction of a United States district court that is issued pursuant to an action brought under this section shall be reviewable by appeal directly to the Supreme Court of the United States. Any such appeal shall be taken by a notice of appeal filed within 10 days after such order is entered; and the jurisdictional statement shall be filed within 30 days after such order is entered. No stay of an order issued pursuant to an action brought under this section may be issued by a single Justice of the Supreme Court.
(2) It shall be the duty of a United States district court hearing an action brought under this section and the Supreme Court of the United States to advance on the docket and to expedite to the greatest possible extent the disposition of any such matter.
(f) Any agency or entity within the executive branch having authority with respect to the carrying out of a decennial census may in a civil action obtain a declaratory judgment respecting whether or not the use of a statistical method, in connection with such census, to determine the population for the purposes of the apportionment or redistricting of Members in Congress is forbidden by the Constitution and laws of the United States.
(g) The Speaker of the House of Representatives or the Speaker's designee or designees may commence or join in a civil action, for and on behalf of the House of Representatives, under any applicable law, to prevent the use of any statistical method, in connection with the decennial census, to determine the population for purposes of the apportionment or redistricting of Members in Congress. It shall be the duty of the Office of the General Counsel of the House of Representatives to represent the House in such civil action, according to the directions of the Speaker. The Office of the General Counsel of the House of Representatives may employ the services of outside counsel and other experts for this purpose.
(h) For purposes of this section and section 210—
(1) the term “statistical method” means an activity related to the design, planning, testing, or implementation of the use of representative sampling, or any other statistical procedure, including statistical adjustment, to add or subtract counts to or from the enumeration of the population as a result of statistical inference; and
(2) the term “census” or “decennial census” means a decennial enumeration of the population.
(i) Nothing in this Act shall be construed to authorize the use of any statistical method, in connection with a decennial census, for the apportionment or redistricting of Members in Congress.
(j) Sufficient funds appropriated under this Act or under any other Act for puroses of the 2000 decennial census shall be used by the Bureau of the Census to plan, test, and become prepared to implement a 2000 decennial census, without using statistical methods, which shall result in the percentage of the total population actually enumerated being as close to 100 percent as possible. In both the 2000 decennial census, and any dress rehearsal or other simulation made in preparation for the 2000 decennial census, the number of persons enumerated without using statistical methods must be publicly available for all levels of census geography which are being released by the Bureau of the Census for: (1) all data releases before January 1, 2001; (2) the data contained in the 2000 decennial census Public Law 94–171 data file released for use in redistricting; (3) the Summary Tabulation File One (STF–1) for the 2000 decennial census; and (4) the official populations of the States transmitted from the Secretary of Commerce through the President to the Clerk of the House used to reapportion the districts of the House among the States as a result of the 2000 decennial census. Simultaneously with any other release or reporting of any of the information described in the preceding sentence through other means, such information shall be made available to the public on the Internet. These files of the Bureau of the Census shall be available concurrently to the release of the original files to the same recipients, on identical media, and at a comparable price. They shall contain the number of persons enumerated without using statistical methods and any additions or subtractions thereto. These files shall be based on data gathered and generated by the Bureau of the Census in its official capacity.
(k) This section shall apply in fiscal year 1998 and succeeding fiscal years.
3.4 Alabama v. Department of Commerce 3.4 Alabama v. Department of Commerce
546 F. Supp. 3d 1057 (M.D. Ala. 2021)
The State of ALABAMA, et al., Plaintiffs,
v.
UNITED STATES DEPARTMENT OF COMMERCE, et al., Defendants.
Case No. 3:21-cv-211-RAH-ECM-KCN
Signed 06/29/2021
Attorneys and Law Firms
Alexander Barrett Bowdre, Brenton Merrill Smith, Edmund Gerard LaCour, Jr., Winfield James Sinclair, James William Davis, Office of the Alabama Attorney General, Montgomery, AL, Jason Brett Torchinsky, Pro Hac Vice, Jonathan Philip Lienhard, Pro Hac Vice, Phillip Michael Gordon, Pro Hac Vice, Shawn Toomey Sheehy, Pro Hac Vice, HoltzmanVogel Josefiak Torchinsky PLLC, Haymarket, VA, for Plaintiff The State of Alabama.
Jason Brett Torchinsky, Pro Hac Vice, Jonathan Philip Lienhard, Pro Hac Vice, Phillip Michael Gordon, Pro Hac Vice, Shawn Toomey Sheehy, Pro Hac Vice, HoltzmanVogel Josefiak Torchinsky PLLC, Haymarket, VA, for Plaintiffs Robert Aderholt, William Green, Camaran Williams.
Elliott M. Davis, Zachary Anthony Avallone, John Robinson, US Department of Justice, Washington, DC, for Defendants.
MEMORANDUM OPINION AND ORDER
KEVIN C. NEWSOM, UNITED STATES CIRCUIT JUDGE, EMILY C. MARKS, CHIEF UNITED STATES DISTRICT JUDGE, R. AUSTIN HUFFAKER, JR., UNITED STATES DISTRICT JUDGE
I. Introduction
On March 10, 2021, the State of Alabama (“the State”), Congressman Robert Aderholt, and two Alabama voters (collectively, “Plaintiffs”) brought this suit against the U.S. Department of Commerce (“the Department”), the U.S. Bureau of the Census (“the Bureau”), and certain federal officials (collectively, “Defendants”). Plaintiffs requested a preliminary injunction against the Bureau's plan to use “differential privacy,” a method of disclosure avoidance, in the processing of 2020 Census data, on the grounds that it violates the Census Act, see 13 U.S.C. § 1 et seq., the Administrative Procedure Act (“APA”), see 5 U.S.C. § 706, and the Individual Plaintiffs’ due process and equal protection rights under the Fifth Amendment. Plaintiffs also sought a writ of mandamus from this court directing Defendants to provide census data to the State of Alabama by March 31, 2021 or as soon as equitably possible thereafter.
After the benefit of oral argument, the court concludes that Plaintiffs’ motion for a preliminary injunction and petition for writ of mandamus are due to be DENIED.
II. Legal Standard
“A preliminary injunction may be issued to protect the plaintiff from irreparable injury and to preserve the district court's power to render a meaningful decision after a trial on the merits.” Canal Auth. of the State of Fla. v. Callaway, 489 F.2d 567, 572 (5th Cir. 1974);1 Ne. Fla. Chapter of Ass'n of Gen. Contractors of Am. v. City of Jacksonville, Fla., 896 F.2d 1283, 1285 (11th Cir. 1990) (“The basis of injunctive relief in the federal courts has always been irreparable harm and inadequacy of legal remedies.” (quoting Sampson v. Murray, 415 U.S. 61, 90, 94 S.Ct. 937, 39 L.Ed.2d 166 (1974))).
A party seeking preliminary injunctive relief must establish four elements: “(1) a substantial likelihood of success on the merits; (2) that the preliminary injunction is necessary to prevent irreparable injury; (3) that the threatened injury outweighs the harm the preliminary injunction would cause the other litigant; and (4) that the preliminary injunction would not be averse to the public interest.” Chavez v. Fla. SP Warden, 742 F.3d 1267, 1271 (11th Cir. 2014) (citing Parker v. State Bd. of Pardons & Paroles, 275 F.3d 1032, 1034–35 (11th Cir. 2001)). Additionally, a preliminary injunction requires a showing of “imminent irreparable harm,” and “a delay in seeking a preliminary injunction of even only a few months—though not necessarily fatal—militates against a finding of irreparable harm.” Wreal, LLC v. Amazon.com, Inc., 840 F.3d 1244, 1248 (11th Cir. 2016).
When ruling on a preliminary injunction, “all of the well-pleaded allegations [in a movant's] complaint and uncontroverted affidavits filed in support of the motion for a preliminary injunction are taken as true.” Elrod v. Burns, 427 U.S. 347, 350 n.1, 96 S.Ct. 2673, 49 L.Ed.2d 547 (1976). The court may also consider supplemental evidence, even hearsay evidence, submitted by the parties. See Levi Strauss & Co. v. Sunrise Intern. Trading, Inc., 51 F.3d 982, 985 (11th Cir. 1995).
III. Background
A. The Decennial Census
The Constitution requires an “actual Enumeration” of the population every ten years and vests Congress with the authority to conduct that census “in such Manner as they shall by Law direct.” Wisconsin v. City of New York, 517 U.S. 1, 5, 116 S.Ct. 1091, 134 L.Ed.2d 167 (1996) (quoting 1 Art. I, § 2, cl. 3). The Enumeration Clause of the Constitution “vests Congress with virtually unlimited discretion in conducting the decennial ‘actual Enumeration,’ ” and Congress “has delegated its broad authority over the census to the Secretary” with its passage of the Census Act, 13 U.S.C. § 1 et seq. Dep't of Com. v. New York, ––– U.S. ––––, 139 S. Ct. 2551, 2566, 204 L.Ed.2d 978 (2019) (citing Wisconsin, 517 U.S. at 19, 116 S.Ct. 1091). Accordingly, the Secretary has substantial discretion to take “a decennial census of [the] population ... in such form and content as [she] may determine....” 13 U.S.C. § 141(a). The Secretary is assisted in the performance of that responsibility by the Bureau of the Census and its head, the Director of the Census. See id. at § 2; § 21.
“The Constitution provides that the results of the census shall be used to apportion the Members of the House of Representatives among the States.” Wisconsin, 517 U.S. at 5, 116 S.Ct. 1091 (citing Art. I, § 2, cl. 3 (“Representatives ... shall be apportioned among the several States ... according to their respective Numbers ....”); Amdt. 14, § 2 (“Representatives shall be apportioned among the several States according to their respective numbers, counting the whole number of persons in each State ....”)). And relevant here, the Census Act also requires the Secretary to work with each State to develop and approve plans “identifying the geographic areas for which specific tabulations of population are desired” for use in redistricting and other non-apportionment-related matters. 13 U.S.C. § 141(c). After completing the decennial census, the Secretary must report “[t]abulations of population for the areas identified” “to the Governor of the State involved and to the officers or public bodies having responsibility for legislative apportionment or districting of such State.” Id.
B. Implementation of Differential Privacy for the 2020 Decennial Census
To encourage public cooperation with each decennial census, “Congress has provided assurances that information furnished to the Secretary by individuals is to be treated as confidential.” Baldrige v. Shapiro, 455 U.S. 345, 354, 102 S.Ct. 1103, 71 L.Ed.2d 199 (1982) (citing 13 U.S.C. §§ 8(b), 9(a)). This mandate was incorporated into the Census Act, which provides in Sections 8 and 9, respectively, that first, “the Secretary may furnish copies of tabulations and other statistical materials which do not disclose the information reported by, or on behalf of, any particular respondent,” 13 U.S.C. § 8(b), and second, there should be no “publication whereby data furnished by any particular establishment or individual under this title can be identified,” id. at § 9(a), (a)(2). These provisions have been read in tandem to “embody explicit congressional intent to preclude all disclosure of raw census data reported by or on behalf of individuals.” Baldrige, 455 U.S. at 361, 102 S.Ct. 1103.
Given these guardrails, the Bureau has implemented various disclosure avoidance methods over the years with the goal of protecting the privacy of census respondents. For example, prior to 1990, the Bureau relied on the “suppression” of data to protect respondents. (Doc. 41-1 at 10.) Under this method of disclosure avoidance, the Bureau withheld publication of tables “that did not meet certain household, population, or demographic characteristic thresholds.” (Id.) And in the 2000 and 2010 censuses, the Bureau primarily used “data swapping,” meaning it swapped certain characteristic data between households that were most vulnerable to re-identification. (Id. at 12.) The data swapping methodology thus infused some “noise” into the redistricting data but kept each state's total population and total voting-age population constant at the census block level—the smallest geographic area for which the Bureau collects and tabulates census data. (Id.)
Citing the need to counter advancements in computational power and the threat of sophisticated re-identification and reconstruction attacks, the Bureau announced in September 2017 that it would employ a new and more proactive method of disclosure avoidance for the 2020 Census—“differential privacy.” (Doc. 3 at 23; Doc. 41 at 73.) Differential privacy, the Bureau concluded, is the most efficient method by which it can accomplish both of its goals: adequately protecting respondent information while also preserving the utility of census data. (Doc. 41-1 at 26.) Therefore, the Bureau formally adopted differential privacy in the latest version of its 2020 Census Operational Plan, published in December 2018. (See Doc. 3-4.)
Although the parties voice contrasting views of exactly what differential privacy does, they seem to agree that differential privacy injects a calibrated amount of noise into the raw census data to control the privacy risk of any calculation or statistic. The amount of noise—or as Plaintiffs would say, error—actually injected depends on a pre-determined “privacy-loss budget,” also referred to as the “epsilon,” which allows the Bureau to “dial up and down” the degree of privacy in a given dataset. (Doc. 3-5 at 11–12.) “Setting epsilon to zero would result in perfect privacy but useless data, and setting the epsilon to infinity would result in perfect accuracy, but would result in releasing data in fully identifiable form.” (Doc. 3-5 at 10–11; see also Doc. 41 at 14.)
Broadly speaking, the application of differential privacy is a process that occurs in two steps: “First, parameters are chosen to calibrate the variance of the chosen distribution, and then random draws from these distributions are taken and applied to the observations to ‘perturb’ or ‘alter’ values in the database up or down by adding the value of the random draw ....” (Doc. 3-5 at 12.) To put it more simply, among the computationally intense tasks folded into each of these steps, the Bureau's principal responsibilities are to determine the “invariants”—or unaltered numbers—and then to set the global privacy-loss budget. The goal, as the Census Bureau would argue, is highly accurate census data that can also withstand database reconstruction attacks more effectively than, say, the data that suppression or enhanced data swapping methods could produce. (Doc. 41-1 at 20–30.)
Moving ahead with its differential privacy plan, the Census Bureau announced on November 24, 2020, that the states will receive three invariants for the purposes of redistricting: (1) the total population of each state, (2) the total housing units at the census block level, and (3) the number of group quarters facilities by type at the census block level. (See Doc. 3-6 at 13.) Implicit in its announcement identifying these invariants, the Bureau indicated that the other redistricting data it plans to release to the states, including counts of population by race, ethnicity, voting age, housing occupancy status, and group quarters population, will be subject to the application of differential privacy at the census block level. (Doc. 3 at 13; Doc. 3-7 at 2.)
Throughout the development of the Bureau's differential privacy plan, the Bureau has released a series of “demonstration data” to its stakeholders to assist in the fine tuning of the disclosure avoidance system using differential privacy. (Doc. 3 at 29.) The Bureau released the first set of demonstration data products in October 2019, and, over the subsequent year, additional sets of demonstration data were released in May 2020, September 2020, November 2020, and April 2021. (Id.) The State of Alabama was among the recipients of these demonstration data products, which the Bureau has explained had “more noise (error) than should be expected in the final 2020 Census data products.” (Id.) And on June 9, 2021, the Bureau finalized the epsilon for the 2020 Census data and filed notice with this court to confirm that the privacy-loss budget will be much higher than what was allocated for the demonstration data products. (Doc. 137.) In practice, this means that the redistricting data ultimately delivered to the states will be more accurate, at least when compared to the demonstration data, and, according to the Bureau, will be adequate for states to comply with the Voting Rights Act. See Voting Rights Act of 1965, Pub.L. 89–110, 79 Stat. 437, 52 U.S.C.A. § 10301 et seq. (Doc. 137.)
C. Delayed Delivery of Redistricting Data
As is true for most every government entity and private business or organization over the past year, the COVID-19 pandemic placed onerous and novel burdens on government agencies to carry out their work in a timely and efficient manner. The Bureau, and its thousands of field representatives, had the bad luck of having to carry out the decennial census during this pandemic, which significantly delayed its field operations and processing of the census data. See generally Nat'l Urb. League v. Ross, 508 F.Supp.3d 663, 669-680 (N.D. Cal. 2020).
By statutory directive, the Bureau was required to report the census results to the President by December 31, 2020, so that he could officially submit the results to Congress for reapportionment of the House. See 13 U.S.C. § 141(b); 2 U.S.C. § 2a. Despite the Bureau's efforts to obtain an extension, Congress did not extend the deadline. And following litigation in California, the Census Bureau ended its field operations in mid-October 2020. See Ross v. Nat'l Urban League, ––– U.S. ––––, 141 S. Ct. 18, 208 L.Ed.2d 169 (2020). All told, this resulted in the Bureau reporting results of the 2020 Census on April 26, 2021, almost four months after it was statutorily required to do so.
Similarly, the Bureau missed the March 31, 2021, statutory deadline to submit census-based redistricting data to the states. The Bureau issued a press release on February 12, 2021, stating its intent to release redistricting data to all fifty states on September 30, 2021. (See Doc. 1 at 37.) As a result, Ohio raised a challenge to the Bureau's delay, as Plaintiffs do here. See Complaint, Counts V–VIII (Doc. 1 at 48–51); see also Ohio v. Raimondo, 848 F. App'x 187 (6th Cir. 2021) (reversing the district court's holding that the State of Ohio lacked standing to oppose the Census Bureau's delayed release of redistricting data).
But, as the oft-repeated adage goes, time brings all things to pass, see Aeschylus, Libation Bearers 81 (Evan Hayes et al. eds., Ian Johnston trans., Faenum Publishing 2017), and in a more recent April 26, 2021, press release, the Bureau advanced the release date to August 16, 2021. See Press Release, U.S. Census Bureau, 2020 Census Apportionment Results Delivered to the President (April 26, 2021), https://www.census.gov/newsroom/press-releases/2021/2020-census-apportionment-results.html (the “April 26 Press Release”). As to this newly announced August 16, 2021, deadline, Plaintiffs have expressed dissatisfied resignation. In oral argument, Plaintiffs’ counsel admitted that “if we could get [the redistricting data] in mid-August, I think we could still work with that, but pushing it beyond that is going to cause serious harm to us.” (Doc. 128 at 28.) Regardless, the Census Bureau maintains that it would be impossible to deliver redistricting data to the states any earlier than August 16, 2021. (Id. at 88–89.)
IV. Plaintiffs' Differential Privacy Challenge
The Bureau's adoption of differential privacy as the disclosure avoidance method of choice for the 2020 Census has prompted Plaintiffs’ first set of challenges (Counts I through IV), which are brought pursuant to both 13 U.S.C. § 141(c) and the APA. The crux of Plaintiffs’ differential privacy claims is that the Bureau's method will generate intentionally skewed and untrustworthy census data. As to each Plaintiff, the court first will discuss several jurisdictional and prudential prerequisites, the results of which merit a denial of Plaintiffs’ motion for a preliminary injunction and dismissal of several of these claims. Indeed, “the Court must determine whether it has jurisdiction before it can proceed to the merits of the case.” Smith v. Ivey, 501 F. Supp. 3d 1248, 1260 (M.D. Ala. 2020) (citing Trichell v. Midland Credit Mgmt., Inc., 964 F.3d 990, 996 (11th Cir. 2020)). The court must do so sua sponte, Sierra v. Hallandale Beach, 996 F.3d 1110, 1138 (11th Cir. 2021) (Newsom, J., concurring), and where it concludes that jurisdiction is lacking, a court must dismiss the case or cause of action. See Barnett v. Bailey, 956 F.2d 1036, 1039–41 (11th Cir. 1992) (holding that a federal court may inquire into its jurisdiction at any time and may dismiss an action sua sponte for lack of subject matter jurisdiction).
A. The § 141 Claim (Count I)
1. The State of Alabama has no cause of action under Section 209.
In Count I, Plaintiffs challenge Defendants’ use of differential privacy as an impermissible method of tabulation of the state's population under 13 U.S.C. § 141(c) of the Census Act (“Section 141”), via Pub. L. No. 105-119 § 209(b), codified as 13 U.S.C. § 141 Note. (“Section 209”). Plaintiffs contend that Section 141, which unquestionably entitles them to “tabulations of population” for redistricting purposes, see 13 U.S.C. § 141(c), also entitles them to “tabulations free from manipulation by unlawful statistical methods that affect districting decisions.” (Doc. 3 at 38.)
In raising this challenge, Plaintiffs do not argue that Section 141 itself provides a cause of action. Compare (Doc. 1 at 5) (“Plaintiffs bring claims under Section 141 of the Census Act, 13 U.S.C. § 141; Section 209 of Public Law No. 105-119, which is codified in a note to 13 U.S.C. § 141; and 28 U.S.C. § 2284(a), as this case involves a challenge to a statistical method used to provide ‘[t]abulations of population’ for states to use in drawing congressional districts. See 13 U.S.C. § 141(c).”) with Ohio v. Raimondo, No. 3:21-CV-064, 2021 WL 1118049, at *4 (S.D. Ohio Mar. 24, 2021), rev'd and remanded, 848 F. App'x 187 (6th Cir. 2021) (bringing claims solely under Section 141). On the contrary, they have chosen to travel under Section 209.2 That route, though—for the State, anyway—hits a roadblock in Section 209's definitions section, which identifies all sorts of other persons and entities as “person[s] aggrieved,” but notably excludes states themselves. As Defendants contend, of the four plaintiffs, the State of Alabama is not “a person aggrieved” within the meaning of Section 209 and therefore has no cause of action for a violation of the Bureau's mandates.
On this issue, we begin “where courts should always begin the process of legislative interpretation ... which is with the words of the statutory provision.” United States v. Hastie, 854 F.3d 1298, 1303 (11th Cir. 2017) (citing Harris v. Garner, 216 F.3d 970, 972 (11th Cir. 2000) (en banc)).
Section 209 provides that “[a]ny person aggrieved by the use of any statistical method in violation of the Constitution or any provision of law ..., to determine the population for purposes of the apportionment or redistricting of Members of Congress,” may bring a civil action. Pub. L. No. 105-119 § 209(b) (emphasis added). Section 209(d) in turn defines an “aggrieved person” as including: “(1) any resident of a State whose congressional representation or district could be changed as a result of the use of a statistical method challenged in the civil action; (2) any Representative or Senator in Congress; and (3) either House of Congress.” Id. at § 209(d)(1)–(3). Conspicuously missing from this section is any express mention of states, such as the State of Alabama or, for that matter, any other sovereign. “Definition sections ... are to be carefully followed.” Hastie, 854 F.3d at 1303 (citing Antonin Scalia & Bryan A. Garner, Reading Law: The Interpretation of Legal Texts 225 (2012); Fox v. Standard Oil Co., 294 U.S. 87, 96, 55 S.Ct. 333, 79 L.Ed. 780 (1935) (quotation marks omitted)).
The background presumption, of course, is that the word “person” does not include the sovereign. See Return Mail, Inc. v. United States Postal Serv., ––– U.S. ––––, 139 S. Ct. 1853, 1861–62, 204 L.Ed.2d 179 (2019) (“In the absence of an express statutory definition, the court applies a longstanding interpretive presumption that ‘person’ does not include the sovereign.”); Vermont Agency of Nat. Res. v. U.S. ex rel. Stevens, 529 U.S. 765, 782, 120 S.Ct. 1858, 146 L.Ed.2d 836 (2000) (the presumption is that states are not covered by the term “person.”); United States v. United Mine Workers of Am., 330 U.S. 258, 275, 67 S.Ct. 677, 91 L.Ed. 884 (1947) (exclusion of comparable provision extending the term “person” to include sovereign governments indicates Congress's intent not to include states). And here, the court can find nothing to rebut that presumption.
The State attempts to explain that, despite the omission of any sovereign from the text of the statute, its cause of action is safeguarded by the principle that the word “includes” should be understood to be nonexclusive. (See Doc. 94 at 50.) E.g., Scalia & Garner, at 132 (“the word include does not ordinarily introduce an exhaustive list”) (emphasis in original). True, the definitions section in Section 209(d) reads, “[f]or purposes of this section, an aggrieved person (described in subsection (b)) includes,” before listing the various entities previously described. But in applying the interpretive canon of expressio unius est exclusio alterius, which stands for the proposition that “expressing one item of [an] associated group or series excludes another left unmentioned,” N.L.R.B. v. SW Gen., Inc., ––– U.S. ––––, 137 S. Ct. 929, 940, 197 L.Ed.2d 263 (2017) (citation omitted), it becomes clear that there is no path around the textual barrier here; that is, the court has no basis for construing the word “person” in Section 209 as including any sovereign. Notably, of the three potential aggrieved persons,” the statute does confer a cause of action on one inanimate entity–either House of Congress. Had Congress intended to include other inanimate bodies in its definition of “aggrieved person[s],” such as states, it would have done so expressly.
That, at the outset of this case, Plaintiffs deliberately utilized Section 209 as the mechanism for their challenge to the Census Bureau's use of differential privacy cannot be sidestepped. And while true that Section 209 does create an express cause of action to challenge violations of Section 141, see Common Cause v. Trump, 506 F.Supp.3d 39, 54-55 (D.D.C. 2020), its precise language makes clear that the power to enforce the duties and obligations imposed by Section 141 does not extend to the State. See § 209(d)(1)–(3); Nat'l R. R. Passenger Corp. v. Nat'l Ass'n of R. R. Passengers, 414 U.S. 453, 458, 94 S.Ct. 690, 38 L.Ed.2d 646 (1974) (“Since the Act creates a public cause of action for the enforcement of its provisions and a private cause of action only under very limited circumstances, this maxim would clearly compel the conclusion that the remedies created in § 307(a) are the exclusive means to enforce the duties and obligations imposed by the Act.”).
Accordingly, the State is not entitled to relief—injunctive or otherwise—because it has no cause of action under Section 209 under which its differential privacy challenge would have a likelihood of success.3 See Klay v. United Healthgroup, Inc., 376 F.3d 1092, 1097 (11th Cir. 2004) (“[A]ny motion or suit for a traditional injunction must be predicated upon a cause of action ... regarding which a plaintiff must show a likelihood or actuality of success on the merits.”). As such, the State of Alabama's motion for a preliminary injunction as to Count I must be denied, and with no cognizable basis for relief, Count I as asserted by the State warrants dismissal with prejudice.4
2. The Individual Plaintiffs’ claims are not justiciable and therefore improperly before this court.
Unlike the State, Representative Aderholt, Mr. Green, and Mr. Williams (collectively, “Individual Plaintiffs”) are clearly “aggrieved persons” and have properly invoked Section 209 to bring their differential privacy challenge (Count I). As we will explain, though, their challenge to the Bureau's adoption of differential privacy likewise encounters a number of foundational roadblocks that bar this court from providing injunctive relief or otherwise hearing their challenge advanced in Count I on the merits. Here, those roadblocks are jurisdictional in nature.
i. The Individual Plaintiffs lack Article III standing.
Defendants contend that the Individual Plaintiffs lack Article III standing. In particular, Defendants argue that the census data provided will be reliable enough for redistricting and, in any event, that the Individual Plaintiffs’ claimed injuries are based on future events—most notably, the disclosure of the actual census data—and speculation about the effect of those events.
To satisfy Article III's well-established “case or controversy” requirement, Plaintiffs must demonstrate that they have “standing” to sue; that is, they must show that they (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of Defendants, and (3) that is likely to be redressed by a favorable judicial decision. Spokeo, Inc. v. Robins, 578 U.S. 330, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016); Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992); Flat Creek Transp., LLC v. Fed. Motor Carrier Safety Admin., 923 F.3d 1295, 1300 (11th Cir. 2019).
Each of the Plaintiffs “assert[ ] a number of injuries—diminishment of political representation, loss of federal funds, degradation of census data, and diversion of resources—all of which turn on [their] expectation that [differential privacy] will ... lead to an inaccurate population count.” Dep't of Com. v. New York, ––– U.S. ––––, 139 S. Ct. 2551, 2565, 204 L.Ed.2d 978 (2019). And the Individual Plaintiffs, specifically, assert that the use of differential privacy will degrade the redistricting data provided to the State, which will subsequently affect the State's ability to draw accurate federal, state, and local legislative districts. As their presumptive theory goes, the skewed data risks a misallocation of federal funding among Alabama's communities and citizens and dilution of their individual voting power.
An “injury in fact” is “an invasion of a judicially cognizable interest, which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical....” Corbett v. Transportation Sec. Admin., 930 F.3d 1225, 1232 (11th Cir. 2019). And where, as here, a voter rests his or her legal challenge on the one-person one-vote principle, “injury results only to those persons domiciled in under-represented voting districts,” Wright v. Dougherty Cty., Ga., 358 F.3d 1352, 1355 (11th Cir. 2004) (citations omitted), meaning that individuals who “have not suffered any harm or injury by the malapportioned voting districts” lack standing, id.
In this regard, the Bureau has not yet delivered its redistricting data with differential privacy “in a concrete manner that will predictably change the count.” 141 S. Ct. at 536 (citing Dep't of Com. v. New York, ––– U.S. ––––, 139 S. Ct. 2551, 2565–66, 204 L.Ed.2d 978 (2019); Dep't of Com. v. U.S. House of Representatives, 525 U.S. 316, 331, 331–32, 119 S.Ct. 765, 142 L.Ed.2d 797 (1999)). “The Government's eventual action will reflect both legal and practical constraints, making any prediction about future injury just that—a prediction.” Id. (emphasis added). More, the Bureau insists that the final epsilon, as set on June 9, 2021, will preserve the value and accuracy of census data once compiled in its final form. (Doc. 41-1 at 27–28; Doc. 137.)
As to the Individual Plaintiffs’ speculative fears of under-representation in their voting districts, their claims amount to “primarily future injuries,” which at this point, have not materialized. Dep't of Com. v. New York, 139 S. Ct. at 2565 (citing Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014)). Indeed, it is not presently known whether the Individual Plaintiffs’ votes will be diluted (or enhanced, or affected at all) by differential privacy,5 and the Bureau has committed to conducting quality checks of the data throughout the application of differential privacy before it is released to the states. (Doc. 137 at 2.)
And to the federal funding argument, the Individual Plaintiffs’ assertion that federal funding variables “will be affected by differential privacy,” which will, in turn, “directly affect the amount of federal funding Alabama and its citizens receive,” likewise rests on speculation. (Doc. 1 at 34–35.) For starters, the State has not yet received any redistricting data from the Bureau, meaning that the Individual Plaintiffs have no basis for believing they were, or will be, under-counted. Moreover, there is no indication that differential privacy will, in practice, skew redistricting data to the extent that federal funds will be misallocated. All told, any finding of a “substantial risk of reduced representation and federal resources” “involves a significant degree of guesswork.” Trump v. New York, ––– U.S. ––––, 141 S. Ct. 530, 535–36, 208 L.Ed.2d 365 (2020).
Because the Individual Plaintiffs’ fears are “riddled with contingencies and speculation that impede judicial review,” id. at 535, the court can discern no injury-in-fact sufficient to confer Article III standing on them at this point. See also Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S. Ct. 1138, 1141, 185 L.Ed.2d 264 (2013) (“ ‘[A]llegations of possible future injury’ are not sufficient.”). Accordingly, this court lacks jurisdiction to hear Count I in its entirety, and Count I is due to be dismissed without prejudice as to the Individual Plaintiffs.6
ii. The Individual Plaintiffs’ claims are unripe.
In addition to the Individual Plaintiffs’ failure to demonstrate that they have standing, their claims falter upon another jurisdictional hurdle: ripeness.
Consistent with the judiciary's obligation to exercise power only in last resort, suits must be ripe for court review in order to be justiciable. See, e.g., Common Cause, 506 F.Supp.3d 39, 44-45 (D.D.C. 2020). “A claim is not ripe for adjudication if it rests upon contingent future events that may not occur as anticipated, or indeed may not occur at all.” Texas v. United States, 523 U.S. 296, 300, 118 S.Ct. 1257, 140 L.Ed.2d 406 (1998). “If an action for prospective relief” does “not contain a concrete injury requisite for standing” because the injury alleged has not fully materialized, it generally will not be ripe for review. Elend v. Basham, 471 F.3d 1199, 1205 (11th Cir. 2006). Thus, for the same reasons that the Individual Plaintiffs here are unable to demonstrate any cognizable injury-in-fact, they are likewise unable to demonstrate the requisite ripeness for further consideration of their differential privacy claims. New York C.L. Union v. Grandeau, 528 F.3d 122, 130 (2d Cir. 2008) (“Standing and ripeness are closely related doctrines that overlap ‘most notably in the shared requirement that [Plaintiffs’] injury be imminent rather than conjectural or hypothetical.’ ”).
***
It may very well be that the Individual Plaintiffs will return here once the final redistricting data are actually delivered to the states. But we cannot know whether differential privacy will inflict the harm alleged by the Individual Plaintiffs until the Bureau releases a final set of redistricting data. “Letting the Executive Branch's decision-making process run its course not only brings more manageable proportions to the scope of the parties’ dispute, but also ensures that we act as judges, and do not engage in policymaking properly left to elected representatives.” Trump, 141 S. Ct. at 536 (citations omitted); see also Utah v. Evans, 536 U.S. 452, 463, 122 S.Ct. 2191, 153 L.Ed.2d 453 (2002) (“Nor ... if a lawsuit is brought soon enough after completion of the census and heard quickly enough is relief necessarily impracticable.”) (internal quotation marks omitted).
For each of these reasons, the Individual Plaintiffs’ (and, if one were to assume it could maintain a cause of action, the State's) challenge under Count I is non-justiciable at present and is therefore due to be dismissed without prejudice.
B. The APA Claims (Counts III and IV)
Plaintiffs bring two further challenges to the implementation of differential privacy, these under the APA. The first (Count III) seeks to have the court hold unlawful and set aside the use of differential privacy as an agency action that is “not in accordance with law,” “contrary to constitutional right,” “in excess of statutory jurisdiction [or] authority,” or which was implemented “without observance of procedure required by law.” (Doc. 1 at 46–47 (citing 5 U.S.C. §§ 706(2)(A)–(D)).) The second (Count IV) challenges the decision as arbitrary, capricious, or an abuse of discretion, and is based entirely on the Bureau's alleged failure to follow proper administrative procedures. (Id. at 47 (citing 5 U.S.C. § 706(2)(A)).)
Pertinent to Count III, which challenges the Bureau's adoption of differential privacy as being “not in accordance with [Section 141],” Plaintiffs do not differentiate the injury they have suffered from the injury alleged under Section 209—that consequences may flow from the Bureau's decision to deliver “skewed” redistricting data to the State. As already discussed, this alleged injury is simply too speculative to pass muster as an “injury-in-fact.” On these grounds, Plaintiffs, including the State, lack standing to challenge Section 141 by and through the APA, just as they lacked standing to challenge Section 141 by and through Section 209. Injunctive relief thus cannot exist as to Count III, and Count III will accordingly be dismissed without prejudice.
In contrast, where Count IV is concerned, the injury alleged is not speculative—the Plaintiffs allege a concrete and particularized injury caused by the Bureau's failure to follow the APA's procedural requirements in 2017 and 2018. See Spokeo, 136 S.Ct. at 1549–50. As such, the court must scrutinize the actions taken by the Bureau in its adoption of differential privacy, which began in September 2017 with the Census Bureau's initial announcement of its intent to use differential privacy for its 2020 Census data. (Doc. 3 at 12.) The second challenged action was the Bureau's December 2018 publication of its 2020 Census Operational Plan. (Doc. 1 at 18.)
“The APA, by its terms, provides a right to judicial review of all ‘final agency action for which there is no other adequate remedy in a court,’ § 704, and applies universally ‘except to the extent that—(1) statutes preclude judicial review; or (2) agency action is committed to agency discretion by law,’ § 701(a).” Bennett v. Spear, 520 U.S. 154, 175, 117 S.Ct. 1154, 137 L.Ed.2d 281 (1997). The APA “embodies a ‘basic presumption of judicial review,’ ” and instructs reviewing courts to set aside agency action that is “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” Dep't of Com. v. New York, 139 S. Ct. at 2567 (citing Abbott Laboratories v. Gardner, 387 U.S. 136, 140, 87 S.Ct. 1507, 18 L.Ed.2d 681 (1987); 5 U.S.C. § 706(2)(A)).
For an agency action to be considered final, “[f]irst, the action must mark the consummation of the agency's decisionmaking process—it must not be of a merely tentative or interlocutory nature. And second, the action must be one by which rights or obligations have been determined, or from which legal consequences will flow.” U.S. Army Corps of Engineers v. Hawkes Co., 578 U.S. 590, 136 S. Ct. 1807, 1813, 195 L.Ed.2d 77 (2016) (quotation marks and citation omitted).
With this framework in mind, the larger question here remains: are Plaintiffs in the instant case entitled to injunctive relief under Count IV? Operating under the assumption that the Bureau's September 2017 and December 2018 announcements constituted final agency actions,7 cf. Glavin v. Clinton, 19 F. Supp. 2d 543, 547 (E.D. Va. 1998) (“As read in the Appropriations Act of 1998 § 209(c)(2), the Census 2000 Operational Plan ‘shall be deemed to constitute final agency action regarding the use of statistical methods in the 2000 decennial census,’ thus making the question of use ripe for adjudication.”), aff'd sub nom. Dep't of Com. v. U.S. House of Representatives, 525 U.S. 316, 119 S.Ct. 765, 142 L.Ed.2d 797 (1999), Plaintiffs’ delay in bringing their differential privacy challenge has undercut their request for an injunction by impeding any showing of imminent irreparable harm.8
“A preliminary injunction requires showing ‘imminent’ irreparable harm.” Wreal, LLC, 840 F.3d at 1248; Siegel v. LePore, 234 F.3d 1163, 1176 (11th Cir. 2000) (affirming the district court's denial of injunctive relief based solely on plaintiff's inability to demonstrate substantial likelihood of irreparable injury). “Indeed, the very idea of a preliminary injunction is premised on the need for speedy and urgent action to protect a plaintiff's rights before a case can be resolved on its merits.” Wreal, 840 F.3d at 1248 (five-month delay in bringing claim doomed any finding of imminent irreparable harm) (emphasis in original). The preliminary injunction standard's focus on imminent harm also places an onus on a plaintiff to demonstrate some sense of “urgency or necessity,” and by sitting on his or her rights for even a few months, a plaintiff has squandered any corresponding entitlement to injunctive relief. Menudo Int'l, LLC v. In Miami Prod., LLC, No. 17-21559-CIV, 2017 WL 4919222, at *3 (S.D. Fla. Oct. 31, 2017). See Benisek v. Lamone, ––– U.S. ––––, 138 S. Ct. 1942, 1944, 201 L.Ed.2d 398 (2018) (“[A] party requesting a preliminary injunction must generally show reasonable diligence.”); Pals Grp., Inc. v. Quiskeya Trading Corp., No. 16-23905-CIV, 2017 WL 532299, at *6 (S.D. Fla. Feb. 9, 2017) (“[C]ourts typically decline to grant preliminary injunctions in the face of unexplained delays of more than two months.”) (internal quotation and citation omitted).
Here, Plaintiffs waited approximately forty-two months as to the September 2017 announcement, and twenty-seven months as to the December 2018 publication, respectively, to bring their claims before this court. And despite their outright assertion that “the privacy loss budget—the epsilon—is immaterial” and “that the application of differential privacy itself—no matter the epsilon—is unlawful,” (Doc. 3 at 40), Plaintiffs explain that they were not aware of the extent to which differential privacy would abridge their rights until November 2020.9 But that does not change the underlying fact that they knew about the implementation of differential privacy, which they have challenged as a per se matter, as early as September 2017, at which point they proceeded to sit on their hands. Such a delay surely indicates “an absence of the kind of irreparable harm required to support a preliminary injunction.” Citibank, N.A. v. Citytrust, 756 F.2d 273, 276 (2d Cir. 1985).
While the challenge to the procedure followed in adopting differential privacy under the APA (Count IV) is within the court's jurisdictional reach, the request for preliminary injunctive relief will be denied. Count III will be dismissed for lack of standing.
C. Fifth Amendment Claim (Count II)
The Individual Plaintiffs bring a separate Equal Protection claim under the Due Process Clause of the Fifth Amendment, alleging that differential privacy is a violation of the one-person, one-vote principle and will result in the dilution of their votes. (Doc. 1 at 45–45) (Count II). For the same reasons these specific plaintiffs lack standing and ripeness to challenge differential privacy under Section 141(c), see section IV.A.2, supra, their purely constitutional claim regarding alleged vote dilution is likewise not justiciable at this point in time. As the court discussed as to Count I, their claims are far too speculative at present to meet either the injury-in-fact or ripeness conditions. The Individual Plaintiffs therefore are not entitled to injunctive relief, and Count II will likewise be dismissed without prejudice.
V. Plaintiffs' Delay Challenge
Plaintiffs’ next set of challenges, which are similarly brought pursuant to both § 141(c) and the APA, concern the Bureau's delayed delivery of redistricting data to the states, which the Bureau announced on February 12, 2021. The statutory release date should have been March 31, 2021, but that deadline has now come and gone, with announced deadlines extending to September 30, 2021, and, most recently, August 16, 2021. Defendants submit that Plaintiffs lack standing, their claims are largely moot since the March 31, 2021, deadline has passed without an amended complaint, and the requested relief is impossible to provide.
Here, as with its differential privacy challenge, the State of Alabama brings its first challenge to the Bureau's delay (Count V) pursuant to Section 141, by and through Section 209. For the same reasons already set forth, these claims are not properly before this Court. That is, Section 209 affords the State no cause of action to bring its delay claim under Section 141, see section IV.A.1, supra. Injunctive relief as to Count V, as asserted by the State, will thus be denied and the claim dismissed with prejudice.
The Individual Plaintiffs’ claims asserted under Section 141 (Count V) and all of Plaintiffs’ claims asserted under the APA (Counts VI and VII), however, do not face any similar preliminary barriers to consideration and thus warrant a more thorough discussion.
A. § 141 Claim (Count V) and APA Claims (Counts VI and VII)
In what remains for discussion under Count V, the Individual Plaintiffs contend that the Bureau's delay does not comport with Section 141(c), which requires that redistricting data be sent to the states no later than March 31, 2021. (Doc. 1 at 48.) And in Counts VI and VII, each of the Plaintiffs seeks relief under the APA for the February 12, 2021, decision, in which the Bureau announced its intent to release redistricting data to all fifty states on September 30, 2021. (See id. at 37.) In Plaintiffs’ view, the announcement was “not in accordance with law” “because it contradicts ... the congressionally imposed deadline of March 31” (Count VI). (Id. at 48.) They further argue that the delay announcement was “arbitrary and capricious” (Count VII). (Id. at 49.)
To no one's surprise, following Plaintiffs’ filing of the Complaint in the case, the Bureau missed its March 31, 2021, statutory deadline to deliver redistricting data to the states. But on April 26, 2021, the Bureau announced that it will instead deliver redistricting data to the states by August 16, 2021, an earlier date than originally announced. This date was initially unsatisfactory for Plaintiffs who, for the first time in their reply brief, requested a July 31, 2021, deadline for the release of the data. (See Doc. 94 at 14.) But at oral argument, counsel for Plaintiffs and Defendants stated that the new August 16 date was satisfactory to both parties: “[I]f we could get [the redistricting data] in mid-August, I think we could still work with that, but pushing it beyond that is going to cause serious harm to us.” (Doc. 128 at 28.) Naturally, this statement brings into question whether Plaintiffs’ stated injuries necessitate preliminary injunctive relief at the present moment.
“A showing of irreparable harm is ‘the sine qua non of injunctive relief,’ ” or in other words, the indispensable requirement. Ne. Fla. Chapter of Ass'n of Gen. Contractors of Am. v. City of Jacksonville, Fla., 896 F.2d 1283, 1285 (11th Cir. 1990) (quoting Frejlach v. Butler, 573 F.2d 1026, 1027 (8th Cir. 1978)). “The injury must be neither remote nor speculative, but actual and imminent,” City of Jacksonville, Fla., 896 F.2d at 1285 (quotation omitted), and “[m]ere injuries, however substantial, in terms of money, time and energy necessarily expended in the absence of [an injunction]” do not reach the actual and imminent standard, Sampson v. Murray, 415 U.S. 61, 90, 94 S.Ct. 937, 39 L.Ed.2d 166 (1974). “Although [Plaintiffs’] desire to have [their] case decided in an expedited fashion is understandable, that desire, without more, is insufficient to constitute the irreparable harm necessary to justify the extraordinary relief requested here.” Jud. Watch, Inc. v. U.S. Dep't of Homeland Sec., 514 F. Supp. 2d 7, 10 (D.D.C. 2007).
Here, an issue arises as to the imminent irreparability of Plaintiffs’ alleged injury. While the Bureau announced a delay of the redistricting data release date, the Bureau has since advanced that timeline. Furthermore, at oral argument, counsel for the Bureau described the precise next steps that the Bureau will take to complete the delivery of the data by August 16, a date which, barring unforeseen “undiscovered, unexpected anomalies,” the State “can have confidence in.” (Doc. 128 at 89.) Given the State's admission that a mid-August release date would be workable, (id. at 28), there is very little record evidence from which the court can glean that Plaintiffs will “suffer irreparable injury absent an injunction.” Swain v. Junior, 961 F.3d 1276, 1292 (11th Cir. 2020) (emphasis in original).
The problem at this point for Plaintiffs “is that the federal courts exist to resolve real disputes, not to rule on a plaintiff's entitlement to relief already there for the taking.” Campbell-Ewald Co. v. Gomez, 577 U.S. 153, 175, 136 S.Ct. 663, 193 L.Ed.2d 571 (2016), as revised (Feb. 9, 2016) (Roberts, C.J., dissenting) (emphasis added). For Plaintiffs to quibble with the already expedited timeline by asking for an order from this court directing the Bureau to speed things up even more, but only by two weeks or so, demonstrates that there is just not a whole lot to their argument; or, at least, not enough to demonstrate the continued necessity of preliminary injunctive relief. See Sheely v. MRI Radiology Network, P.A., 505 F.3d 1173, 1182 n.10 (11th Cir. 2007) (“Even though a case is not moot, that does not mean that injunctive relief follows automatically; undoubtedly, injunctive relief requires something more than the mere possibility which serves to keep the case alive.” (quotation marks omitted)).
And although no one disagrees that the Bureau failed to act by the March 31, 2021, deadline contained in the Census Act, Plaintiffs did not subsequently make a request to amend their complaint seeking a new deadline of July 31, 2021, for the Bureau to release the redistricting data; instead, they first suggested the July 31 deadline in their reply brief. But arguments raised for the first time in a reply brief are not properly before the reviewing court. United States v. Oakley, 744 F.2d 1553, 1556 (11th Cir. 1984) (citing United States v. Benz, 740 F.2d 903 (11th Cir. 1984)).
The Bureau has made clear the data will be available for use on August 16, 2021, a date that Plaintiffs have acknowledged will allow them to complete redistricting without causing them cognizable injury. Of course, should the Bureau not abide by its assurances that Plaintiffs can have confidence in the August 16 date, Plaintiffs may continue to litigate the claims that remain for trial, not to mention their right to avail themselves of other legal pathways available to them. See, e.g., 5 U.S.C. § 706(1) (“The reviewing court shall ... compel agency action unlawfully withheld or unreasonably delayed.”). But as far as this court can discern at this juncture, Plaintiffs are not entitled to a preliminary injunction as it pertains to the Individual Plaintiffs’ Section 141 claims or each Plaintiff's APA delay claims, and the request for preliminary injunctive relief as to Counts V, VI, and VII will be denied.
B. Mandamus Request (Count VIII)
In Count VIII, Plaintiffs ask for “a writ of mandamus requiring the Secretary to comply with the March 31 deadline imposed by § 141(c).” (Doc. 1 at 51; see also Doc. 3 at 69.)
The Mandamus Act, codified at 28 U.S.C. § 1361, grants district courts original jurisdiction over mandamus actions brought “to compel an officer or employee of the United States or any agency thereof to perform a duty owed to the plaintiff.” 28 U.S.C. § 1361. Even so, “mandamus is an extraordinary remedy which should be utilized only in the clearest and most compelling of cases.” Cash v. Barnhart, 327 F.3d 1252, 1257–58 (11th Cir. 2003) (citing Carter v. Seamans, 411 F.2d 767, 773 (5th Cir. 1969)).
“Mandamus relief is only appropriate when: (1) the plaintiff has a clear right to the relief requested; (2) the defendant has a clear duty to act; and (3) ‘no other adequate remedy [is] available.’ ” Id. But “the writ of mandamus will not issue to compel the performance of that which cannot be legally accomplished,” or, in other words, that which is “impossible.” Am. Hosp. Ass'n v. Price, 867 F.3d 160, 167 (D.C. Cir. 2017) (emphasis added).
Here, the Bureau has made it quite clear that a delay was unavoidable due in no small part to the COVID-19 pandemic. True, the COVID-19 pandemic is not carte blanche for the Bureau to ignore the law, and “judicial deference in an emergency or a crisis does not mean wholesale judicial abdication” of the federal judiciary's role to say what the law is. Roman Cath. Diocese of Brooklyn v. Cuomo, ––– U.S. ––––, 141 S. Ct. 63, 74, 208 L.Ed.2d 206 (2020) (Kavanaugh, J., concurring). But “[t]here is nothing mystical or punctilious about the judiciary giving due consideration to an executive agency's central argument—made repeatedly and emphatically ..., not solely with allegations but with proffers of evidence—before issuing extraordinary relief.” Am. Hosp. Ass'n, 867 F.3d at 169. “[I]t is not appropriate for a court—contemplating the equities—to order a party to jump higher, run faster, or lift more than [he or she] is physically capable.” Id., at 167–168.
Yet, even as the March 31, 2021, deadline approached and then passed, Plaintiffs chose not to amend their complaint to request alternative relief from this court. The court cannot force the Bureau to do the impossible—that is, comply with an already-lapsed deadline. As a result of this impossibility, Plaintiffs’ request for mandamus relief is due to be denied. Id. at 169; cf. United States v. Sanchez-Gomez, ––– U.S. ––––, 138 S. Ct. 1532, 1540, 200 L.Ed.2d 792 (2018) (“[S]upervisory mandamus cases require live controversies.”).
Furthermore, the Bureau has made quite clear that it will be able to deliver the redistricting data to the State by August 16, 2021. Again, Plaintiffs have acknowledged that date suffices for them to be able to complete redistricting without injury. We see no prejudice to Plaintiffs in denying a writ of mandamus requiring the Bureau to issue the data any earlier. See Telecommunications Rsch. & Action Ctr. v. F.C.C., 750 F.2d 70, 80 (D.C. Cir. 1984).
Therefore, Plaintiffs’ request for a writ of mandamus is due to be denied, and Count VIII is dismissed with prejudice.
VI. CONCLUSION
Based upon the foregoing, it is ORDERED10 as follows:
1) Plaintiffs’ Motion for a Preliminary Injunction (Doc. 3) is DENIED;
2) Plaintiffs’ Petition for a Writ of Mandamus (Doc. 3) is DENIED;
3) Count I of the Complaint (Doc. 1) as asserted by the State of Alabama is DISMISSED with prejudice;
4) Count I of the Complaint (Doc. 1) as asserted by Robert Aderholt, William Green, and Camaran Williams is DISMISSED without prejudice;
5) Counts II and III of the Complaint (Doc. 1) are DISMISSED without prejudice;
6) Count V of the Complaint (Doc. 1) as asserted by the State of Alabama is DISMISSED with prejudice;
7) Count VIII of the Complaint (Doc. 1) is DISMISSED with prejudice;
8) Counts IV, VI, and VII of the Complaint (Doc. 1) will proceed; and
9) Count V of the Complaint (Doc. 1) as asserted by Robert Aderholt, William Green, and Camaran Williams will proceed.
DONE, on this the 29th day of June, 2021.
3.5 FTC v. Wyndham Worldwide Corp. 3.5 FTC v. Wyndham Worldwide Corp.
FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation Wyndham Hotels and Resorts, LLC, Appellant.
No. 14-3514.
United States Court of Appeals, Third Circuit.
Argued March 3, 2015.
Opinion filed: Aug. 24, 2015.
*239Kenneth W. Allen, Esquire, Eugene F. Assaf, Esquire, (Argued), Christopher Landau, Esquire, Susan M. Davies, Esquire, Michael W. McConnell, Esquire, Kirkland & Ellis, Washington, DC, David T. Cohen, Esquire, Ropes & Gray, New York, N.Y., Douglas H. Meal, Esquire, Ropes & Gray, Boston, MA, Jennifer A. Hradil, Esquire, Justin T. Quinn, Esquire, Gibbons, Newark, NJ, Counsel for Appellants.
Jonathan E. Nuechterlein, General Counsel, David C. Shonka, Sr., Principal Deputy General Counsel, Joel R. Marcus, Esquire, (Argued), David L. Sieradzki, Esquire, Federal Trade Commission, Washington, DC, Counsel for Appellee.
Sean M. Marotta, Esquire, Catherine E. Stetson, Esquire, Harriet P. Pearson, Esquire, Bret S. Cohen, Esquire, Adam A. Cooke, Esquire, Hogan Lovells U.S. LLP, Kate Comerford Todd, Esquire, Steven P. Lehotsky, Esquire, Sheldon Gilbert, Esquire, U.S. Chamber Litigation Center, Inc., Banks Brown, Esquire, McDermott Will & Emery LLP, New York, N.Y., Karen R. Harned, Esquire, National Federation of Independent Business, Washington, DC, Counsel for Amicus Appellants, Chamber of Commerce of the USA; American Hotel & Lodging Association; National Federation of Independent Business.
Cory L. Andrews, Esquire, Richard A. Samp, Esquire, Washington Legal Foundation, John F. Cooney, Esquire, Jeffrey D. Knowles, Esquire, Mitchell Y. Mirviss, Esquire, Leonard L. Gordon, Esquire, Randall K. Miller, Esquire, Venable LLC, Washington, DC, Counsel for Amicus Appellants, Electronic Transactions Association, Washington Legal Foundation.
Scott M. Michelman, Esquire, Jehan A. Patterson, Esquire, Public Citizen Litigation Group, Washington, DC, Counsel for Amicus Appellees, Public Citizen Inc.; Consumer Action; Center for Digital Democracy.
Marc Rotenberg, Esquire, Alan Butler, Esquire, Julia Horwitz, Esquire, John Tran, Esquire, Catherine N. Crump, Esquire, American Civil Liberties Union, New York, N.Y., Chris Jay Hoofnagle, Esquire, Samuelson Law, Technology & Public Policy Clinic, Berkeley, CA, Justin Brookman, Esquire, G.S. Hans, Esquire, Washington, DC, Lee Tien, Esquire, Electronic Frontier Foundation, San Francisco, CA, Counsel for Amicus Appellees, Electronic Privacy Information Center, American Civil Liberties Union, Samuelson Law, Technology & Public Policy Clinic, Center *240for Democracy & Technology, Electronic Frontier Foundation.
Before: AMBRO, SCIRICA, and ROTH, Circuit Judges.
OPINION OF THE COURT
The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.
On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation’s computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham’s motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.
1. Background
A. Wyndham’s Cybersecurity
Wyndham Worldwide is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries.2 Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndhambranded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham “manage[s]” these systems and requires the hotels to “purchase and configure” them to its own specifications. Compl. at ¶ 15, 17. It also operates a computer network in Phoenix, Arizona, that connects its data center with the property management systems of each of the Wyndham-branded hotels.
The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Id. at ¶ 24. This claim is fleshed out as follows.
1. The company allowed Wyndhambranded hotels to store payment card information in clear readable text.
2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.” Id. at ¶ 24(f).
*2413. Wyndham failed to use “readily available security measures” — such as firewalls — to “limit access between [the] hotels’ property management systems, ... corporate network, and the Internet.” Id. at ¶ 24(a).
4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Id. at ¶ 24(c). Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled ..., which were easily available to hackers through simple Internet searches.” Id. And, because it failed to maintain an “adequate[] inventory [of] computers connected to [Wyndham’s] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks. Id. at ¶ 24(g).
5. Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndhambranded hotels. Id. at ¶ 24(j). For example, it did not “restrict[] connections to specified IP addresses or grant[] temporary, limited access, as necessary.” Id.
6. It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.” Id. at 1124(h).
7. It did not follow “proper incident response procedures.” Id. at ¶ 24(i). The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.
Although not before us on appeal, the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company’s cybersecurity.
We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information — such as credit card numbers, online forms, and financial data — from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards....
Id. at If 21. The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
B. The Three Cybersecurity Attacks
As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then *242used the brute-force method — repeatedly guessing users’ login IDs and passwords— to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to a domain in Russia.
In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered “memory-scraping malware” used in the previous attack on more than thirty hotels’ computer systems. Id. at ¶ 34. The FTC asserts that, due to Wyndham’s “failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months.” Id. In this second attack, the hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.
Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account on one of its networks. Because Wyndham “had still not adequately limited access between ... the Wyndham-branded hotels’ property management systems, [Wyndham’s network], and the Internet,” the hackers had access to the property management servers of multiple hotels. Id. at ¶ 37. Wyndham only learned of the intrusion in January 2010 when a credit card company received complaints from cardholders. In this third attack, hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels.
The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit,” Id. at ¶ 40, and that they “expended time and money resolving fraudulent charges and mitigating subsequent harm.” Id.
C. Procedural History
The FTC filed suit in the U.S. District Court for the District of Arizona in June 2012 claiming that Wyndham engaged in “unfair” and “deceptive” practices in violation of § 45(a). At Wyndham’s request, the Court transferred the case to the U.S. District Court for the District of New Jersey. Wyndham then filed a Rule 12(b)(6) motion to dismiss both the unfair practice and deceptive practice claims. The District Court denied the motion but certified its decision on the unfairness claim for interlocutory appeal. We granted Wyndham’s application for appeal.
II. Jurisdiction and Standards of Review
The District Court has subject-matter jurisdiction under 28 U.S.C. §§ 1331, 1337(a), and 1345. We have jurisdiction under 28 U.S.C. § 1292(b).
We have plenary review of a district court’s ruling on a motion to dismiss for failure to state a claim under Rule 12(b)(6). Farber v. City of Paterson, 440 F.3d 131, 134 (3d Cir.2006). In this review, “we accept all factual allegations as true, construe the complaint in the light most favorable to the plaintiff, and determine whether, under any reasonable reading of the complaint, the plaintiff may be entitled to relief.” Pinker v. Roche Hold*243ings Ltd., 292 F.3d 361, 374 n. 7 (3d Cir.2002).
III. FTC’s Regulatory Authority Under § 45(a)
A. Legal Background
The Federal Trade Commission Act of 1914 prohibited “unfair methods of competition in commerce.” Pub.L. No. 63-203, § 5, 38 Stat. 717, 719 (codified as amended at 15 U.S.C. § 45(a)). Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ ... by enumerating the particular practices to which it was intended to apply.” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239-40, 92 S.Ct. 898, 31 L.Ed.2d 170 (1972) (citing S.Rep. No. 63-597, at 13 (1914)); see also S.Rep. No. 63-597, at 13 (“The committee gave careful consideration to the question as to whether it would attempt to define the many and variable unfair practices which prevail in commerce .... It concluded that ... there were too many unfair practices to define, and after writing 20 of them into the law it would be quite possible to invent others.” (emphasis added)). The takeaway is that Congress designed the term as a “flexible concept with evolving content,” FTC v. Bunte Bros., 312 U.S. 349, 353, 61 S.Ct. 580, 85 L.Ed. 881 (1941), and “intentionally left [its] development ... to the Commission,” Atl. Ref. Co. v. FTC, 381 U.S. 357, 367, 85 S.Ct. 1498, 14 L.Ed.2d 443 (1965).
After several early cases limited “unfair methods of competition” to practices harming competitors and not consumers, see, e.g., FTC v. Raladam Co., 283 U.S. 643, 51 S.Ct. 587, 75 L.Ed. 1324 (1931), Congress inserted an additional prohibition in § 45(a) against “unfair or deceptive acts or practices in or affecting commerce,” Wheeler-Lea Act, Pub.L. No. 75-447, § 5, 52 Stat. 111, 111 (1938).
For the next few decades, the FTC interpreted the unfair-practices prong primarily through agency adjudication. But in 1964 it issued a “Statement of Basis and Purpose” for unfair or deceptive advertising and labeling of cigarettes, 29 Fed.Reg. 8324, 8355 (July 2, 1964), which explained that the following three factors governed unfairness determinations:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise — whether, in other words, it is within at least the penumbra of some common-law, statutory or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes substantial injury to consumers (or competitors or other businessmen).
Id. Almost a decade later, the Supreme Court implicitly approved these factors, apparently acknowledging their applicability to contexts other than cigarette advertising and labeling. Sperry, 405 U.S. at 244 n. 5, 92 S.Ct. 898. The Court also held that, under the policy statement, the FTC could deem a practice unfair based on the third prong — substantial consumer injury — without finding that at least one of the other two prongs was also satisfied. Id.
During the 1970s, the FTC embarked on a controversial campaign to regulate children’s advertising through the unfair-practices prong of § 45(a). At the request of Congress, the FTC issued a second policy statement in 1980 that clarified the three factors. FTC Unfairness Policy Statement, Letter from the FTC to Hon. Wendell Ford and Hon. John Danforth, Senate Comm, on Commerce, Sci., and Transp. (Dec. 17, 1980), appended to Int’l Harvester Co., 104 F.T.C. 949, 1070 (1984) [herein*244after 1980 Policy Statement]. It explained that public policy considerations are relevant in determining whether a particular practice causes substantial consumer injury. Id. at 1074-76. Next, it “abandoned” the “theory of immoral or unscrupulous conduct ... altogether” as an “independent” basis for an unfairness claim. Inti Harvester Co., 104 F.T.C. at 1061 n. 43; 1980 Policy Statement, supra at 1076 (“The Commission has ... never relied on [this factor] as an independent basis for a finding of unfairness, and it will act in the future only on the basis of the [other] two.”). And finally, the Commission explained that “[u]njustified consumer injury is the primary focus of the FTC Act” and that such an injury “[b]y itself ... can be sufficient to warrant a finding of unfairness.” 1980 Policy Statement, supra at 1073. This “does not mean that every consumer injury is legally ‘unfair.’ ” Id. Indeed,
[t]o justify a finding of unfairness the injury must satisfy three tests. [1] It must be substantial; [2] it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and [3] it must be an injury that consumers themselves could not reasonably have avoided.
Id.
In 1994, Congress codified the 1980 Policy Statement at 15 U.S.C. § 45(n):
The Commission shall have no authority under this section ... to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.
FTC Act Amendments of 1994, Pub.L. No. 103-312, § 9, 108 Stat. 1691, 1695. Like the 1980 Policy Statement, § 45(n) requires substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition. It also acknowledges the potential significance of public policy and does not expressly require that an unfair practice be immoral, unethical, unscrupulous, or oppressive.
B. Plain Meaning of Unfairness
Wyndham argues (for the first time on appeal) that the three requirements of 15 U.S.C. § 45(n) are necessary but insufficient conditions of an unfair practice and that the plain meaning of the word “unfair” imposes independent requirements that are not met here. Arguably, § 45(n) may not identify all of the requirements for an unfairness claim. (While the provision forbids the FTC from declaring an act unfair “unless” the act satisfies the three specified requirements, it does not answer whether these are the only requirements for a finding of unfairness.) Even if so, some of Wyndham’s proposed requirements are unpersuasive, and the rest are satisfied by the allegations in the FTC’s complaint.
First, citing FTC v. R.F. Keppel & Brother, Inc., 291 U.S. 304, 54 S.Ct. 423, 78 L.Ed. 814 (1934), Wyndham argues that conduct is only unfair when it injures consumers “through unscrupulous or unethical behavior.” Wyndham Br. at 20-21. But Keppel nowhere says that unfair conduct must be unscrupulous or unethical. Moreover, in Sperry the Supreme Court rejected the view that the FTC’s 1964 policy *245statement required unfair conduct to be “unscrupulous” or “unethical.” 405 U.S. at 244 n. 5, 92 S.Ct. 898.3 Wyndham points to no subsequent FTC policy statements, adjudications, judicial opinions, or statutes that would suggest any change since Sperry.
Next, citing one dictionary, Wyndham argues that a practice is only “unfair” if it is “not equitable” or is “marked by injustice, partiality, or deception.” Wyndham Br. at 18-19 (citing Webster’s Ninth New Collegiate Dictionary (1988)). Whether these are requirements of an unfairness claim makes little difference here. A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
We recognize this analysis of unfairness encompasses some facts relevant to the FTC’s deceptive practices claim. But facts relevant to unfairness and deception claims frequently overlap. See, e.g., Am. Fin. Sens. Ass’n v. FTC, 767 F.2d 957, 980 n. 27 (D.C.Cir.1985) (“The FTC has determined that ... making unsubstantiated advertising claims may be both an unfair and a deceptive practice.”); Orkin Exterminating Co. v. FTC, 849 F.2d 1354, 1367 (11th Cir.1988) (“[A] practice may be both deceptive and unfair.... ”).4 We cannot completely disentangle the two theories here. The FTC argued in the District Court that consumers could not reasonably avoid injury by booking with another hotel chain because Wyndham had *246published a misleading privacy policy that overstated its cybersecurity. Plaintiffs Response in Opposition to the Motion to Dismiss by Defendant at 5, FTC v. Wyndham Worldwide Corp., 10 F.Supp.3d 602 (D.N.J.2014) (“Consumers could not take steps to avoid Wyndham’s unreasonable data security [before providing their personal information] because Wyndham falsely told consumers that it followed ‘industry standard practices.’ ”); see JA 203 (“On the reasonably] avoidable part, ... consumers certainly would not have known that Wyndham had unreasonable data security practices in this case.... We also allege that in [Wyndham’s] privacy policy they deceive consumers by saying we do have reasonable security data practices. That is one way consumers couldn’t possibly have avoided providing a credit card to a company.”). Wyndham did not challenge this argument in the District Court nor does it do so now. If Wyndham’s conduct satisfies the reasonably avoidable requirement at least partially because of its privacy policy — an inference we find plausible at this stage of the litigation — then the policy is directly relevant to whether Wyndham’s conduct was unfair.5
Continuing on, Wyndham asserts that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” Wyndham Br. at 21 (emphasis in original). It offers no reasoning or authority for this principle, and we can think of none ourselves. Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n. 45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); West-farm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir.1995) (“Proximate cause may be found even where the conduct of the third party is ... criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”). For good reason, Wyndham does not argue that the cybersecurity intrusions were unforeseeable. That would be particularly implausible as to the second and third attacks.
Finally, Wyndham posits a reductio ad absurdum, arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to “regulate the locks on hotel room doors, ... to require every store in the land to post an armed guard at the door,” Wyndham Br. at 23, and to sue supermarkets that are “sloppy about sweeping up banana peels,” Wyndham Reply Br. at 6. *247The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,-000 customers fall hardly suggests it should be immune from liability under § 45(a).
We are therefore not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of “unfair.”
C. Subsequent Congressional Action
Wyndham next argues that, even if cybersecurity were covered by § 45(a) as initially enacted, three legislative acts since the subsection was amended in 1938 have reshaped the provision’s meaning to exclude cybersecurity. A recent amendment to the Fair Credit Reporting Act directed the FTC and other agencies to develop regulations for the proper disposal of consumer data. See Pub.L. No. 108-159, § 216(a), 117 Stat. 1952, 1985-86 (2003) (codified as amended at 15 U.S.C. § 1681w). The Gramm-Leach-Bliley Act required the FTC to establish standards for financial institutions to protect consumers’ personal information. See Pub.L. No. 106-102, § 501(b), 113 Stat. 1338, 1436-37 (1999) (codified as amended at 15 U.S.C. § 6801(b)). And the Children’s Online Privacy Protection Act ordered the FTC to promulgate regulations requiring children’s websites, among other things, to provide notice of “what information is collected from children ..., how the operator uses such information, and the operator’s disclosure practices for such information.” Pub.L. No. 105-277, § 1303, 112 Stat. 2681, 2681-730-732 (1998) (codified as amended at 15 U.S.C. § 6502).6 Wyndham contends these “tailored grants of substantive authority to the FTC in the cybersecurity field would be inexplicable if the Commission already had general substantive authority over this field.” Wyndham Br. at 25. Citing FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 143, 120 S.Ct. 1291, 146 L.Ed.2d 121 (2000), Wyndham concludes that Congress excluded cybersecurity from the FTC’s unfairness authority by enacting these measures.
We are not persuaded. The inference to congressional intent based on post-enactment legislative activity in Brown & Williamson was far stronger. There, the Food and Drug Administration had repeatedly disclaimed regulatory authority over tobacco products for decades. Id. at 144, 120 S.Ct. 1291. During that period, Congress enacted six statutes regulating tobacco. Id. at 143-44, 120 S.Ct. 1291. The FDA later shifted its position, claiming authority over tobacco products. The Supreme Court held that Congress excluded tobacco-related products from the FDA’s authority in enacting the statutes. As tobacco products would necessarily be banned if subject to the FDA’s regulatory authority, any interpretation to the contrary would contradict congressional intent to regulate rather than ban tobacco products outright. Id. 137-39, 120 S.Ct. 1291; Massachusetts v. EPA 549 U.S. 497, 530-31, 127 S.Ct. 1438, 167 L.Ed.2d 248 (2007). Wyndham does not argue that recent privacy laws contradict reading corporate cybersecurity into § 45(a). Instead, it merely asserts that Congress had no reason to enact them if the FTC could already regu*248late cybersecurity through that provision. Wyndham Br. at 25-26.
We disagree that Congress lacked reason to pass the recent legislation if the FTC already had regulatory authority over some cybersecurity issues. The Fair Credit Reporting Act requires (rather than authorizes) the FTC to issue regulations, 15 U.S.C. § 1681w (“The Federal Trade Commission ... shall issue final regulations requiring....” (emphasis added)); id. § 1681m(e)(l)(B) (“The [FTC and other agencies] shall jointly ... prescribe regulations requiring each financial institution. ...” (emphasis added)), and expands the scope of the FTC’s authority, id. § 1681s(a)(l) (“[A] violation of any requirement or prohibition imposed under this subchapter shall constitute an unfair or deceptive act or practice in commerce ... and shall be subject to enforcement by the [FTC] ... irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests under the [FTC] Act.”). The Gramm-Leach-Bliley Act similarly requires the FTC to promulgate regulations, id. § 6801(b) (“[The FTC] shall establish appropriate standards for the financial institutions subject to [its] jurisdiction.... ”), and relieves some of the burdensome § 45(n) requirements for declaring acts unfair, id. § 6801(b) (“[The FTC] shall establish appropriate standards ... to protect against unauthorized access to or use of ... records ... which could result in substantial harm or inconvenience to any customer.” (emphasis added)). And the Children’s Online Privacy Protection Act required the FTC to issue regulations and empowered it to do so under the procedures of the Administrative Procedure Act, id. •§ 6502(b) (citing 5 U.S.C. § 553), rather than the more burdensome Magnuson-Moss procedures under which the FTC must usually issue regulations, 15 U.S.C; § 57a. Thus none of the recent privacy legislation was “inexplicable” if the FTC already had some authority to regulate corporate cybersecurity through § 45(a).
Next, Wyndham claims that the FTC’s interpretation of § 45(a) is “inconsistent with its repeated efforts to obtain from Congress the very authority it purports to wield here.” Wyndham Br. at 28. Yet again we disagree. In two of the statements cited by Wyndham, the FTC clearly said that some cybersecurity practices are “unfair” under the statute. See Consumer Data Protection: Hearing Before the Sub-comm. on Commerce, Mfg. & Trade of the H. Comm, on Energy & Commerce, 2011 WL 2358081, at *6 (June 15, 2011) (statement of Edith Ramirez, Comm’r, FTC) (“[T]he Commission enforces the FTC Act’s proscription against unfair ... acts ... in cases where a businesses] ... failure to employ reasonable security measures causes or is likely to cause substantial consumer injury.”); Data Theft Issues: Hearing Before the Subcomm. on Commerce, Mfg. & Trade of the H. Comm, on Energy & Commerce, 2011 WL 1971214, at *7 (May 4, 2011) (statement of David C. Vladeck, Director, FTC Bureau of Consumer Protection) (same).
In the two other cited statements, given in 1998 and 2000, the FTC only acknowledged that it cannot require companies to adopt “fair information practice policies.” See FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace — A Report to Congress 34 (2000) [hereinafter Privacy Online]; Privacy in Cyberspace: Hearing Before the Subcomm. on Telecomms., Trade & Consumer Prot. of the H. Comm, on Commerce, 1998 WL 546441 (July 21, 1998) (statement of Robert Pitofsky, Chairman, FTC). These policies would protect consumers from far more than the kind of “substantial injury” typically covered by § 45(a). In addition *249to imposing some cybersecurity requirements, they would require companies to give notice about what data they collect from consumers, to permit those consumers to decide how the data is used, and to permit them to review and correct inaccuracies. Privacy Online, supra at 36-37. As the FTC explained in the District Court, the primary concern driving the adoption of these policies in the late 1990s was that “companies ... were capable of collecting enormous amounts of information about consumers, and people were suddenly realizing this.” JA 106 (emphasis added). The FTC thus could not require companies to adopt broad fair information practice policies because they were “just collecting th[e] information, and consumers [were not] injured.” Id.; see also Order Denying Respondent LabMD’s Motion to Dismiss, No. 9357, slip op. at 7 (Jan. 16, 2014) [hereinafter LabMD Order or LabMD ] (“[T]he sentences from the 1998 and 2000 reports ... simply recognize that the Commission’s existing authority may not be sufficient to effectively protect consumers with regard to all data privacy issues of potential concern (such as aspects of children’s online privacy).... ” (emphasis in original)). Our conclusion is this: that the FTC later brought unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm is not inconsistent with the agency’s earlier position.
Having rejected Wyndham’s arguments that its conduct cannot be unfair, we assume for the remainder of this opinion that it was.
IV. Fair Notice
A conviction or punishment violates the Due Process Clause of our Constitution if the statute or regulation under which it is obtained “fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.” FCC v. Fox Television Stations, Inc., — U.S. -, 132 S.Ct. 2307, 2317, 183 L.Ed.2d 234 (2012) (internal quotation marks omitted). Wyndham claims that, notwithstanding whether its conduct was unfair under § 45(a), the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow.7
A. Legal Standard
The level of required notice for a person to be subject to liability varies by circumstance. In Bouie v. City of Columbia, the Supreme Court held that a “judicial construction of a criminal statute” violates due process if it is “unexpected and indefensible by reference to the law which had been expressed prior to the conduct in issue.” 378 U.S. 347, 354, 84 S.Ct. 1697, 12 L.Ed.2d 894 (1964) (internal quotation marks omitted); see also Rogers v. Tennessee, 532 U.S. 451, 457, 121 S.Ct. 1693, 149 L.Ed.2d 697 (2001); In re Surrick, 338 F.3d 224, 233-34 (3d Cir.2003). The precise meaning of “unexpected and indefensible” is not entirely clear, United States v. Lata, 415 F.3d 107, 111 (1st Cir.2005), but we and our sister circuits frequently use language implying that a conviction violates due process if the defendant could not reasonably foresee that a court might adopt the new interpretation of the stat*250ute.8
The fair notice doctrine extends to civil cases, particularly where a penalty is imposed. See Fox Television Stations, Inc., 132 S.Ct. at 2317-20; Boutilier v. INS, 387 U.S. 118, 123, 87 S.Ct. 1563, 18 L.Ed.2d 661 (1967). “Lesser degrees of specificity” are allowed in civil cases because the consequences are smaller than in the criminal context. San Filippo v. Bongiovanni, 961 F.2d 1125, 1135 (3d Cir.1992). The standards are especially lax for civil statutes that regulate economic activities. For those statutes, a party lacks fair notice when the relevant standard is “so vague as to be no rule or standard at all.” CMR D.N. Corp. v. City of Phila., 703 F.3d 612, 631-32 (3d Cir.2013) (internal quotation marks omitted).9
A different set of considerations is implicated when agencies are involved in statutory or regulatory interpretation. Broadly speaking, agencies interpret in at least three contexts. One is where an agency administers a statute without any special authority to create new rights or obligations. When disputes arise under this kind of agency interpretation, the courts give respect to the agency’s view to the extent it is persuasive, but they retain the primary responsibility for construing the statute.10 As such, the standard of notice afforded to litigants about the meaning of the statute is not dissimilar to the standard of notice for civil statutes generally *251because the court, not the agency, is the ultimate arbiter of the statute’s meaning.
The second context is where an agency exercises its authority to fill gaps in a statutory scheme. There the agency is primarily responsible for interpreting the statute because the courts must defer to any reasonable construction it adopts. See Chevron, U.S.A., Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984). Courts appear to apply a more stringent standard of notice to civil regulations than civil statutes: parties are entitled to have “ascertainable certainty” of what conduct is legally required by the regulation. See Chem. Waste Mgmt., Inc. v. EPA, 976 F.2d 2, 29 (D.C.Cir.1992) (per curiam) (denying petitioners’ challenge that a recently promulgated EPA regulation fails fair notice principles); Nat'l Oilseed Processors Ass’n v. OSHA, 769 F.3d 1173, 1183-84 (D.C.Cir.2014) (denying petitioners’ challenge that a recently promulgated OSHA regulation fails fair notice principles).
The third context is where an agency interprets the meaning of its own regulation. Here also courts typically must defer to the agency’s reasonable interpretation.11 We and several of our sister circuits have stated that private parties are entitled to know with “ascertainable certainty” an agency’s interpretation of its regulation. Sec’y of Labor v. Beverly Healthcare-Hillview, 541 F.3d 193, 202 (3d Cir.2008); Dravo Corp. v. Occupational Safety & Health Rev. Comm’n, 613 F.2d 1227, 1232-33 (3d Cir.1980).12 Indeed, “the due process clause prevents ... deference from validating the application of a regulation that fails to give fair warning of the conduct it prohibits or requires.” AJP Const., Inc., 357 F.3d at 75 (internal quotation marks omitted).
A higher standard of fair notice applies in the second and third contexts than in the typical civil statutory interpretation case because agencies en*252gage in interpretation differently than courts. See Frank H. Easterbook, Judicial Discretion in Statutory Interpretation, 57 Okla. L.Rev. 1, 3 (2004) (“A judge who announces deference is approving a shift in interpretive method, not just a shift in the identity of the decider, as if a suit were being transferred to a court in a different venue.”). In resolving ambiguity in statutes or regulations, courts generally adopt the best or most reasonable interpretation. But, as the agency is often free to adopt any reasonable construction, it may impose higher legal obligations than required by the best interpretation.13
Furthermore, courts generally resolve statutory ambiguity by applying traditional methods of construction. Private parties can reliably predict the court’s interpretation by applying the same methods. In contrast, an agency may also rely on technical expertise and political values.14 -It is harder to predict how an agency will construe a statute or regulation at some unspecified point in the future, particularly when that interpretation will depend on the “political views of the President in office at [that] time.” Strauss, supra at 1147.15
Wyndham argues it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by § 45(a). Yet it has contended repeatedly — no less than seven separate occasions in this case — that there is no FTC rule or adjudication about cybersecurity that merits deference here. The necessary implication, one that Wyndham itself has explicitly drawn on two occasions noted below, is that federal courts are to interpret § 45(a) in the first *253instance to decide whether Wyndham’s conduct was unfair.
Wyndham’s argument has focused on the FTC’s motion to dismiss order in LabMD, an administrative case in which the agency is pursuing an unfairness claim based on allegedly inadequate cybersecurity. LabMD Order, supra. Wyndham first argued in the District Court that the LabMD Order does not merit Chevron deference because “selfiserving, litigation-driven decisions ... are entitled to no deference at all” and because the opinion adopted an impermissible construction of the statute. Wyndham’s January 29, 2014 Letter at 1-2, FTC v. Wyndham Worldunde Corp., 10 F.Supp.3d 602 (D.N.J.2014).
Second, Wyndham switched gears in its opening brief on appeal to us, arguing that LabMD does not merit Chevron deference because courts owe no deference to an agency’s interpretation of the “boundaries of Congress’ statutory delegation of authority to the agency.” Wyndham Br. at 19-20.
Third, in its reply brief it argued again that LabMD does not merit Chevron deference because it adopted an impermissible construction of the statute. Wyndham Reply Br. at 14.
Fourth, Wyndham switched gears once more in a Rule 28(j) letter, arguing that LabMD does not merit Chevron deference because the decision was nonfinal. Wyndham’s February 6, 2015 Letter (citing LabMD, Inc. v. FTC, 776 F.3d 1275 (11th Cir.2015)).
Fifth, at oral argument we asked Wyndham whether the FTC has decided that cybersecurity practices are unfair. Counsel answered: “No. I don’t think consent decrees count, I don’t think the 2007 brochure counts, and I don’t think Chevron deference applies. So are ... they asking this federal court in the first instance ... [?] I think the answer to that question is yes.... ” Oral Arg. Tr. at 19.
Sixth, due to our continuing confusion about the parties’ positions on a number of issues in the case, we asked for supplemental briefing on certain questions, including whether the FTC had declared that cybersecurity practices can be unfair. In response, Wyndham asserted that “the FTC has not declared unreasonable cybersecurity practices ‘unfair.’ ” Wyndham’s Supp. Memo, at 3. Wyndham explained further: “It follows from [our] answer to [that] question that the FTC is asking the federal combs to determine in the first instance that unreasonable cybersecurity practices qualify as ‘unfair’ trade practices under the FTC Act.” Id. at 4.
Seventh, and most recently, Wyndham submitted a Rule 28(j) letter arguing that LabMD does not merit Chevron deference because it decided a question of “deep economic and political significance.” Wyndham’s June 30, 2015 Letter (quoting King v. Burwell, — U.S. -, 135 S.Ct. 2480, 192 L.Ed.2d 483 (2015)).
Wyndham’s position is unmistakable: the FTC has not yet declared that cybersecurity practices can be unfair; there is no relevant FTC rule, adjudication or document that merits deference; and the FTC is asking the federal courts to interpret § 45(a) in the first instance to decide whether it prohibits the alleged conduct here. The implication of this position is similarly clear: if the federal courts are to decide whether Wyndham’s conduct was unfair in the first instance under the statute without deferring to any FTC interpretation, then this case involves ordinary judicial interpretation of a civil statute, and the ascertainable certainty standard does not apply. The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but *254whether Wyndham had fair notice of what the statute itself requires.
Indeed, at oral argument we asked Wyndham whether the cases cited in its brief that apply the “ascertainable certainty” standard — all of which involve a court reviewing an agency adjudication16 or at least a court being asked to defer to an agency interpretation17 — apply where the court is to decide the meaning of the statute in the first instance.18 Wyndham’s counsel responded, “I think it would, your Honor. I think if you go to Ford Motor [Co. v. FTC, 673 F.2d 1008 (9th Cir.1981) ], I think that’s what was happening there.” Oral Arg. Tr. at 61. But Ford Motor is readily distinguishable. Unlike Wyndham, the petitioners there did not bring a fair notice claim under the Due Process Clause. Instead, they argued that, per NLRB v. Bell Aerospace Co., 416 U.S. 267, 94 S.Ct. 1757, 40 L.Ed.2d 134 (1974), the FTC abused its discretion by proceeding through agency adjudication rather than rulemaking.19 More importantly, the Ninth Circuit was reviewing an agency adjudication; it was not interpreting the meaning of the FTC Act in the first instance.
In addition, our understanding of Wyndham’s position is consistent with the District Court’s opinion, which concluded that the FTC has stated a claim under § 45(a) based on the Court’s interpretation of the statute and without any reference to LabMD or any other agency adjudication or regulation. See FTC v. Wyndham Worldwide Corp., 10 F.Supp.3d 602, 621-26 (D.N.J.2014).
*255We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute. If later proceedings in this case develop such that the proper resolution is to defer to an agency interpretation that gives rise to Wyndham’s liability, we leave to that time a fuller exploration of the level of notice required. For now, however, it is enough to say that we accept Wyndham’s forceful contention that we are interpreting the FTC Act (as the District Court did). As a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute.
B. Did Wyndham Have Fair Notice of the Meaning of § 45(a)?
Having decided that Wyndham is entitled to notice of the meaning of the statute, we next consider whether the case should be dismissed based on fair notice principles. We do not read Wyndham’s briefs as arguing the company lacked fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under § 45(a). Wyndham argues instead it lacked notice of what specific cybersecurity practices are necessary to avoid liability. We have little trouble rejecting this claim.
To begin with, Wyndham’s briefing focuses on the FTC’s failure to give notice of its interpretation of the statute and does not meaningfully argue that the statute itself fails fair notice principles. We think it imprudent to hold a 100-year-old statute unconstitutional as applied to the facts of this case when we have not expressly been asked to do so.
Moreover Wyndham is entitled to a relatively low level of statutory notice for several reasons. Subsection 45(a) does not implicate any constitutional rights here. Vill. of Hoffman Estates v. Flipside, Hoffman Estates, Inc., 455 U.S. 489, 499, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982). It is a civil rather than criminal statute.20 Id. at 498-99, 102 S.Ct. 1186. And statutes regulating economic activity receive a “less strict” test because their “subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action.” Id. at 498,102 S.Ct. 1186.
In this context, the relevant legal rule is not “so vague as to be ‘no rule or standard at all.’ ” CMR D.N. Corp., 703 F.3d at 632 (quoting Boutilier, 387 U.S. at 123, 87 S.Ct. 1563)'. Subsection 45(n) asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis, Pa. Funeral Dirs. Ass’n v. FTC, 41 F.3d 81, 89-92 (3d Cir.1994); Am. Fin. Servs. Ass’n, 767 F.2d at 975, that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. We ac*256knowledge there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold. But under a due process analysis a company is not entitled to such precision as would eliminate all close calls. Cf Nash v. United States, 229 U.S. 378, 377, 33 S.Ct. 780, 57 L.Ed. 1232 (1913) (“[T]he law is full of instances where a man’s fate depends on his estimating rightly, that is, as the jury subsequently estimates it, some matter of degree.”). Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.
What appears to us is that Wyndham’s fair notice claim must be reviewed as an as-applied challenge. See United States v. Mazurie, 419 U.S. 544, 550, 95 S.Ct. 710, 42 L.Ed.2d 706 (1975); San Filippo, 961 F.2d at 1136. Yet Wyndham does not argue that its cybersecurity practices survive a reasonable interpretation of the cost-benefit analysis required by § 45(n). One sentence in Wyndham’s reply brief says that its “view of what data-security practices are unreasonable ... is not necessarily the same as the FTC’s.” Wyndham Reply Br. at 23. Too little and too late.
Wyndham’s as-applied challenge falls well short given the allegations in the FTC’s complaint. As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, Compl. at ¶ 24(a), did not restrict specific IP addresses at all, id. at ¶ 24(j), did not use any encryption for certain customer files, id. at ¶ 24(b), and did not require some users to change' their default or factory-setting passwords at all, id. at ¶ 24(f). Wyndham did not respond to this argument in its reply brief.
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.
Several other considerations reinforce our conclusion that Wyndham’s fair notice challenge fails. In 2007 the FTC issued a guidebook, Protecting Personal Information: A Guide for Business, FTC Response Br. Attachment 1 [hereinafter FTC Guidebook ], which describes a “checklist[ ]” of practices that form a “sound data security plan.” Id. at 3. The guidebook does not state that any particular practice is required by § 45(a),21 but it does counsel against many of the specific practices alleged here. For instance, it recommends that companies “consider encrypting sensitive information that is stored on [a] computer network ... [, cjheck ... software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches.” Id. at 10. It recommends using “a firewall to protect [a] computer from hapker attacks while it is connected to the *257Internet,” deciding “whether [to] install a ‘border’ firewall where [a] network connects to the Internet,” and setting access controls that “determine who gets through the firewall and what they will be allowed to see ... to allow, only trusted employees with a legitimate business need to access the network.” Id. at 14. It recommends “requiring that employees use ‘strong’ passwords” and cautions that “[h]ackers will first try words like ... the software’s default password[ ] and other easy-to-guess choices.” Id. at 12. And it recommends implementing a “breach response plan,” id. at 16, which includes “[ijnvestigat[ing] security incidents immediately and tak[ing] steps to close off existing vulnerabilities or threats to personal information,” id. at 23.
As the agency responsible for administering the statute, the FTC’s expert views about the characteristics of a “sound data security plan” could certainly have helped Wyndham determine in advance that its conduct might not survive the cost-benefit analysis.
Before the attacks, the FTC also filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity. FTC Br. at 47 n.16. The agency published these materials on its website and provided notice of proposed consent orders in the Federal Register. Wyndham responds that the complaints cannot satisfy fair notice principles because they are not “adjudications on the merits.”22 Wyndham Br. at 41. But even where the “ascertainable certainty” standard applies to fair notice claims, courts regularly consider materials that are neither regulations nor “adjudications on the merits.” See, e.g., United States v. Lachman, 387 F.3d 42, 57 (1st Cir.2004) (noting that fair notice principles can be satisfied even where a regulation is vague if the agency “provide[d] a sufficient, publicly accessible statement” of the agency’s interpretation of the regulation); Beverly Healthcare-Hillview, 541 F.3d at 202 (citing Lachman and treating an OSHA opinion letter as a “sufficient, publicly accessible statement”); Gen. Elec. Co., 53 F.3d at 1329. That the FTC commissioners — who must vote on whether to issue a complaint, 16 C.F.R. § 3.11(a); ABA Section of Antitrust Law, FTC Practice and Procedure Manual 160-61 (2007) — believe that alleged cybersecurity practices fail the cost-benefit analysis of § 45(n) certainly helps companies with similar practices apprehend the possibility that their cybersecurity could fail as well.23
*258Wyndham next contends that the individual allegations in the complaints are too vague to be relevant to the fair notice analysis. Wyndham Br. at 41-42. It does not, however, identify any specific examples. And as the Table below reveals, the individual allegations were specific and similar to those here in at least one of the four or five24 cybersecurity-related unfair-practice complaints that issued prior to the first attack.
■ Wyndham also argues that, even if the individual allegations are not vague, the complaints “fail to spell out what specific cybersecurity practices ... actually triggered the alleged violation, ... providing] only a ... description of certain alleged problems that, ‘taken together,’” fail the cost-benefit analysis. Wyndham Br. at 42 (emphasis in original). We part with it on two fronts. First, even if the complaints do not specify which allegations, in the Commission’s view, form the necessary and sufficient conditions of the alleged violation, they can still help companies apprehend the possibility of liability under the statute. Second, as the Table below showá, Wyndham cannot argue that the complaints fail to give notice of the necessary and sufficient conditions of an alleged § 45(a) violation when all of the allegations in at least one of the relevant four or five complaints have close corollaries here. See Complaint, CardSystems Solutions, Inc., No. C-4168, 2006 WL 2709787 (F.T.C.2006) [hereinafter CCS].
Table: Comparing CSS and Wyndham Complaints
CSS
1Created unnecessary risks to personal information by storing it in a vulnerable format for up to 30 days, CSS at ¶ 6(1)._
2Did not adequately assess the vulnerability of its web application and computer network to commonly known or reasonably foreseeable attacks; did not implement simple, low-cost and readily available defenses to such attacks, CSS at ¶ 6(2)-(3)._
3Failed to use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network, CSS at ¶ 6(4).
4Did not use readily available security measures to limit access between computers on its network and between those computers and the Internet, CSS at ¶ 6(5).
5Failed to employ sufficient measures to detect unauthorized access to personal infor*259mation or to conduct security investigations, CSS at ¶ 6(6)._
*258Wyndham
Allowed software at hotels to store payment card information in clear readable text, Compl. at ¶ 24(b)._
Failed to monitor network for the malware used in a previous intrusion, Compl. at ¶ 24(i), which was then reused by hackers later to access the system again, id. at ¶ 34.
Did not employ common methods to require user IDs and passwords that are difficult for hackers to guess. E.g., allowed remote access to a hotel’s property management system that used defaulVfactory setting passwords, Compl. at ¶ 24(f)._
Did not use readily available security measures, such as firewalls, to limit access between and among hotels’ property management systems, the Wyndham network, and the Internet, Compl. at ¶ 24(a)._
Failed to employ reasonable measures to detect and prevent unauthorized access to *259computer network or to conduct security investigations, Compl. at ¶ 24(h)._
In sum, we have little trouble rejecting Wyndham’s fair notice claim.
V. Conclusion
The three requirements in § 45(n) may be necessary rather than sufficient conditions of an unfair practice, but we are not persuaded that any other requirements proposed by Wyndham pose a serious challenge to the FTC’s claim here. Furthermore, Wyndham repeatedly argued there is no FTC interpretation of § 45(a) or (n) to which the federal courts must defer in this case, and, as a result, the courts must interpret the meaning of the statute as it applies to Wyndham’s conduct in the first instance. Thus, Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform. Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case.
We thus affirm the District Court’s decision.
3.6 Complaint, In re Henry Schein Practice Solutions, Inc. 3.6 Complaint, In re Henry Schein Practice Solutions, Inc.
UNITED STATES OF AMERICA
BEFORE THE FEDERAL TRADE COMMISSION
COMMISSIONERS: Edith Ramirez, Chairwoman; Maureen K. Ohlhausen; Terrell McSweeny
In the Matter of
Henry Schein Practice Solutions, Inc.,
a Corporation
DOCKET NO. C-4575
COMPLAINT
The Federal Trade Commission, having reason to believe that Henry Schein Practice Solutions, Inc., a corporation, has violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:
- Respondent Henry Schein Practice Solutions, Inc. (“Henry Schein”) is a Utah corporation with its principal office or place of business at 1220 South 630 East, American Fork, Utah 84003.
- Respondent manufactures, advertises, offers for sale, sells, and distributes office management software for dental practices, including but not limited to the Dentrix software described below.
- The acts or practices of Respondent alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.
Respondent’s Business Practices
- Dentrix software enables dentists to perform common office tasks such as entering patient data, sending appointment reminders, processing patient payments, submitting patient insurance claims, documenting treatment planning, entering progress notes, and recording diagnostic information.
- In the spring of 2012, Respondent introduced the Dentrix G5 software (“Dentrix G5”). Dentrix G5 incorporated a new “database engine” provided by a third-party vendor, which included new capabilities, including a form of data protection that Respondent advertised as “encryption.”
- Dentists use Dentrix G5 to collect and store patients’ personal information. The personal information can consist of sensitive information about patients, including, in some instances:
name, address, telephone number, Social Security number, date of birth, driver’s license number, email address, web user ID and password, picture, name of insurance providers, clinical notes, prescriptions, and diagnoses.
- As early as November 2010, the database engine vendor informed Respondent that the form of data protection used in Dentrix G5 was a proprietary algorithm that had not been tested publicly, and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.
- Prior to releasing Dentrix G5, Respondent was aware that the Department of Health and Human Services (“HHS”) directs healthcare providers, including most dentists, to guidance promulgated by the National Institute of Standards and Technology (“NIST”) to help them meet their regulatory obligations to protect patient data. The NIST guidance recommends AES encryption. Respondent was also aware that HHS’ Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires dentists to notify patients of certain breaches, but includes a “safe harbor” so that dentists would not have to notify patients about breached data that was encrypted consistent with NIST Special Publication 800-111.
- Nevertheless, for a period of two years Respondent has disseminated or caused to be disseminated promotional materials and statements for the Dentrix G5 software that emphasize the product’s ability to encrypt patient data and help dentists meet regulatory obligations related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including but not limited to the following statements:
A. “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards” (Dentrix G5 brochure).
B. “Henry Schein is pleased to announce the release of Dentrix G5. G5 stores information in an SQL database, which . . . offers improved protection by storing your patient data in an encrypted format" (eNewsletter Article).
C. “The SQL database also offers improved protection by storing customer data in an encrypted format. With ever-increasing data protection regulations, Dentrix G5 provides an important line of defense for both patient and practitioner.” (eNewsletter Article).
D. “With the release of Dentrix G5, Dentrix now stores information in an SQL database, which delivers several distinct benefits for your practice, including improved data access speed and improved data protection by storing customer data in an encrypted format. With medical professionals under strict regulatory obligations to protect their patients’ personal health information, the new Dentrix G5 database provides an important line of defense for both patient and practitioner.” (Dentrix Magazine).
E. “Dentrix versions prior to G5 relied on the underlying Microsoft operating system and file system safeguard to protect user data. Unfortunately, these were rarely activated by default, and if practices failed to turn them on, their data were at risk to hackers. With Dentrix G5’s embedded SQL database, users have the advanced protection they need without burdening them with another system to manage.” (Interview in DentalTown Magazine).
- On June 10, 2013, the United States Computer Emergency Readiness Team (“US- CERT”) issued Vulnerability Note VU#900031, describing the form of data protection used in Dentrix G5 software as a “weak obfuscation algorithm.” On June 16, 2013, NIST published a corresponding vulnerability alert.
- The US-CERT Vulnerability Note stated that the database engine vendor had agreed to re-brand the data protection as “Data Camouflage” so it would not be confused with standard encryption algorithms, such as AES encryption.
- Despite receiving notice of the US-CERT Vulnerability Note and the database vendor’s decision to re-brand in June 2013, for an additional seven months, Respondent continued to disseminate marketing materials stating that Dentrix G5 “encrypts” patient data and offers “encryption.”
- The facts set forth in Paragraphs 7 and 10 would be material to dentists’ purchase of Dentrix G5. An attacker who unmasks patients’ sensitive personal information could subject patients to the unanticipated disclosure of personal information or use that information to commit identity theft, medical identity theft, or other harms. If dentists were aware that Dentrix G5 used a form of data protection that was more vulnerable than widely-used, industry standard encryption algorithms, they may have chosen to purchase another product.
- The facts set forth in Paragraphs 7, 8, and 10 would also be material to dentists’ use of Dentrix G5. For instance, without knowing that Dentrix G5 provided only minimal protection for their patients’ sensitive personal information, dentists may not take other reasonable and commercially available steps to protect patients’ sensitive personal informaiton.
- Moreover, the facts set forth in Paragraphs 7, 8, and 10 would be material to dentists responding to a data breach. For example, in the event of a breach, dentists may mistakenly believe they qualify for the encryption safe harbor under the Breach Notification Rule, and are not required to notify patients in the event of a breach. Even if a dentist does notify patients, the dentist may misinform patients about their risk of identity theft by telling them that the lost data was “encrypted.”
- Finally, in January 2014, following a series of online media reports criticizing the company’s failure to amend its encryption claims, Respondent published the following statement in the Spring 2014 issue of Dentrix Magazine:
“Available only in Dentrix G5, we previously referred to this data protection as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate.”
- Respondent concurrently revised an array of its marketing materials replacing references to “encryption” or “encryption capabilities” with references to “a data masking technique using cryptographic technologies.” Respondent also added language to many of its marketing materials warning users that this data masking technique “helps to supplement, not replace” a dentist’s own security measures.
- Aside from revising its marketing materials as described, Respondent did not take any additional steps to alert dentists who purchased Dentrix G5 prior to January 2014, that the software used a less complex algorithm to protect patient data than a standard encryption algorithm such as AES encryption.
Violations of Section 5
Count I
Deceptive Claims of Encryption – Industry-Standard
- Through the means described in Paragraphs 5, 9, and 12 Respondent has represented, directly or indirectly, expressly or by implication, that Dentrix G5 provides industry-standard encryption.
- In truth and in fact, as described in Paragraphs 7, 10, and 11, Dentrix G5 used technology that was less secure than industry-standard encryption. Therefore, the representation set forth in Paragraph 19 was false or misleading.
Count II
Deceptive Claims of Encryption – Regulatory Obligations
- Through the means described in Paragraphs 5, 9, and 12 Respondent has represented, directly or indirectly, expressly or by implication, that Dentrix G5 helps dentists protect patient data, as required by
- In truth and in fact, as described in Paragraphs 7, 8, 10, and 11, Dentrix G5 used technology that was not capable of helping dentists protect patient data, as required by Therefore, the representation set forth in Paragraph 21 was false or misleading.
- The acts and practices of Respondent as alleged in this complaint constitute unfair or deceptive acts or practices, in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission
THEREFORE, the Federal Trade Commission this twentieth day of May, 2016, has issued this complaint against Respondent.
3.7 Baldrige v. Shapiro 3.7 Baldrige v. Shapiro
BALDRIGE, SECRETARY OF COMMERCE, et al. v. SHAPIRO, ESSEX COUNTY EXECUTIVE
No. 80-1436.
Argued December 2, 1981
Decided February 24, 1982*
*347Burger, C. J., delivered the opinion for a unanimous Court.
Elliott Sckulder argued the cause for petitioners in No. 80-1436 and respondents in No. 80-1781. With him on the briefs were Solicitor General Lee, Acting Solicitor General Wallace, Acting Assistant Attorney General Schiffer, Deputy Solicitor General Getter, Leonard Schaitman, Michael Kimmel, and John Cordes.
George J. Cerrone, Jr., argued the cause for petitioners in No. 80-1781. With him on the briefs was Max P. Zall.
David H. Ben-Asher argued the cause and filed a brief for respondent in No. 80-1436.†
delivered the opinion of the Court.
We granted certiorari to determine whether lists of addresses collected and utilized by the Bureau of the Census are exempt from disclosure, either by way of civil discovery or the Freedom of Information Act, under, the confidentiality provisions of the Census Act, 13 U. S. C. §§8 and 9.
HH
Under Art. I, § 2, cl. 3, of the United States Constitution, responsibility for conducting the decennial census rests with *348Congress.1 Congress has delegated to the Secretary of Commerce the duty to conduct the decennial census, 13 U. S. C. § 141; the Secretary in turn has delegated this function to the Bureau of the Census. 13 U. S. C. § 21.
The 1980 enumeration conducted by the Bureau of the Census indicated that Essex County, N. J., which includes the city of Newark, and Denver, Colo., among other areas, had lost population during the 1970’s. This information was conveyed to the appropriate officials in both Essex County and Denver. Under Bureau procedures a city has 10 working days from receipt of the preliminary counts to challenge the accuracy of the census data.2 Both Essex County and Denver challenged the census count under the local review procedures. Both proceeded on the theory that the Bureau had erroneously classified occupied dwellings as vacant, and both sought to compel disclosure of a portion of the address lists used by the Bureau in conducting its count in their respective jurisdictions.
*349A
BALDRIGE v. SHAPIRO (No. 80-1436)
The Essex County Executive filed suit in the United States District Court for the District of New Jersey to compel the Bureau to release the “master address” register under the Freedom of Information Act (FOIA), 5 U. S. C. § 552.3 The master address register is a listing of such information as addresses, householders’ names, number of housing units, type of census inquiry, and, where applicable, the vacancy status of the unit. The list was compiled initially from commercial mailing address lists and census postal checks, and was updated further through direct responses to census questionnaires, pre- and post-enumeration canvassing by census personnel, and in some instances by a cross-check with the 1970 census data. The Bureau resisted disclosure of the master address list, arguing that 13 U. S. C. §§ 8(b) and 9(a) prohibit disclosure of all raw census data pertaining to particular individuals, including addresses. The Bureau argued that it therefore could lawfully withhold the information under the FOIA pursuant to Exemption 3, which provides that the FOIA does not apply where information is specifically exempt from disclosure by statute. 5 U. S. C. § 552(b)(3).
The District Court concluded that the FOIA required disclosure of the requested information. The court began its analysis by noting that public policy favors disclosure under the FOIA unless the information falls within the statutory exemptions. The District Court concluded that the Census Act did not provide a “blanket of confidentiality” for all census materials. Rather, the confidentiality limitation is *350“solely to require that census material be used in furtherance of the Bureau’s statistical mission and to ensure against disclosure of any particular individual’s response.” App. to Pet. for Cert. 10a. The court noted that Essex County did not seek access to individual census reports or information relative to particular individuals, but sought access to the address list exclusively for statistical purposes in conjunction with the Bureau’s own program of local review. In addition, the Secretary is authorized by the Census Act to utilize county employees if they are sworn to observe the limitations of the statute. The District Court concluded that the Bureau’s claim of confidentiality impeded the goal of accurate and complete enumeration. Finally, the District Court found that the information sought was not derived from the questionnaires received, but rather from data available prior to the census. The District Court ordered the Bureau to make available the address register of all property in the county, with the proviso that all persons using the records be sworn to secrecy.4 The United States Court of Appeals for the Third Circuit affirmed for the reasons stated by the District Court. App. to Pet. for Cert. la. Judgment order reported at 636 F. 2d 1210 (1980).
B
McNICHOLS v. BALDRIGE (No. 80-1781)
The city of Denver, through its officials, filed suit in the United States District Court for the District of Colorado seeking a preliminary injunction to require the Bureau to cooperate with the city in verifying its vacancy data.5 The *351District Court did not rule on the preliminary injunction, but instead focused on whether the city of Denver was entitled to the vacancy information contained in the updated master address registers maintained by the Bureau. The District Court granted the city of Denver’s discovery request for this information. The court concluded that the city should have access to the information because without the address list the city was denied any meaningful ability to challenge the Bureau’s data. In light of what it deemed the important constitutional and statutory rights involved, the District Court concluded that the purposes of § 9 of the Census Act could be maintained without denying the city the right of discovery. The District Court entered a detailed order to protect the confidentiality of the information.6
The United States Court of Appeals for the Tenth Circuit reversed. 644 F. 2d 844 (1981). The Court of Appeals relied on the “express language” of the statute and on the “'emphatically expressed intent of Congress to protect census information.’ ” Id., at 845, quoting Seymour v. Barabba, *352182 U. S. App. D. C. 185, 188, 559 F. 2d 806, 809 (1977). The court reasoned that Congress has the power to make census information immune from direct discovery or disclosure. The court concluded that Congress has neither made nor implied an exception covering this case. The Court of Appeals also found no indication that Congress is constitutionally required to provide the city with information to challenge the census data. The court concluded that the city of Denver’s remedy must lie with Congress.
Thus, the United States Court of Appeals for the Third Circuit ordered disclosure of the master address list under the FOIA. App. to Pet. for Cert. la. The United States Court of Appeals for the Tenth Circuit denied discovery of similar information, concluding that the data was privileged from disclosure. 644 F. 2d 844 (1981). We granted certio-rari in these cases to determine whether such information is to be disclosed under either of the requested procedures. 451 U. S. 936 (1981); 452 U. S. 937 (1981).
B
<
The broad mandate of the FOIA is to provide for open disclosure of public information.7 The Act expressly recognizes, however, that public disclosure is not always in the public interest and consequently provides that agency records may be withheld from disclosure under any one of the nine exemptions defined in 5 U. S. C. § 552(b). Under Exemption 3 disclosure need not be made as to information “specifically exempted from disclosure by statute” if the statute affords the agency no discretion on disclosure, or establishes particular criteria for withholding the data, or refers to the *353particular types of material to be withheld. The question in Baldrige v. Shapiro, No. 80-1436, is twofold: first, do §§ 8(b) and 9(a) of the Census Act constitute a statutory exception to disclosure within the meaning of Exemption 3; and second, is the requested data included within the protection of §§ 8(b) and 9(a).
B
Although the national census mandated by Art. I, § 2, of the Constitution fulfills many important and valuable functions for the benefit of the country as a whole, its initial constitutional purpose was to provide a basis for apportioning representatives among the states in the Congress.8 The census today serves an important function in the allocation of federal grants to states based on population. In addition, the census also provides important data for Congress and ultimately for the private sector.9
*354Although Congress has broad power to require individuals to submit responses, an accurate census depends in large part on public cooperation. To stimulate that cooperation Congress has provided assurances that information furnished to the Secretary by individuals is to be treated as confidential. 13 U. S. C. §§ 8(b), 9(a). Section 8(b) of the Census Act provides that subject to specified limitations, “the Secretary [of Commerce] may furnish copies of tabulations and other statistical materials which do not disclose the information reported by, or on behalf of, any particular respondent . . . .” Section 9(a) provides farther assurances of confidentiality:
“Neither the Secretary, nor any other officer or employee of the Department of Commerce or bureau or agency thereof, may, except as provided in section 8 of this title—
“(1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or
*355“(2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or
“(3) permit anyone other than the sworn officers and employees of the Department or bureau or agency thereof to examine the individual reports.”
Sections 8(b) and 9(a) explicitly provide for the nondisclosure of certain census data. No discretion is provided to the Census Bureau on whether or not to disclose the information referred to in §§ 8(b) and 9(a). Sections 8(b) and 9(a) of the Census Act therefore qualify as withholding statutes under Exemption 3.10 Raw census data is protected under the §§ 8(b) and 9(a) exemptions, however, only to the extent that the data is within the confidentiality provisions of the Act.
C
Essex County and various amici vigorously argue that § § 8(b) and 9(a) of the Census Act are designed to prohibit disclosure of the identities of individuals who provide raw census data; for this reason, they argue, the confidentiality provisions protect raw data only if the individual respondent can be identified. The unambiguous language of the confidentiality provisions, as well as the legislative history of the Act, however, indicates that Congress plainly contemplated that raw data reported by or on behalf of individuals was to be held confidential and not available for disclosure.
*356We begin first with the language of §§ 8(b) and 9(a). Watt v. Energy Action Educational Foundation, 454 U. S. 151 (1981). Section 8(b) allows the Secretary to provide statistical materials “which do not disclose the information reported by, or on behalf of, any particular respondent. . . .” (Emphasis added.) The focus of § 9(a) is also on the information that constitutes the statistical compilation. The Secretary is prohibited from using the “information” except for statistical purposes and is prohibited from publication “whereby the data furnished by any particular establishment or individual under this title can be identified . . . .” (Emphasis added.)
The language of each section refers to protection of the “information” or “data” compiled. In addition, the provisions of § 8(b) prohibit disclosure of data provided “by, or on behalf of,” any respondent. By protecting data revealed “on behalf of” a respondent, Congress further emphasized that the data itself was to be protected from disclosure.
The legislative history also makes clear that Congress was concerned not solely with protecting the identity of individuals. Since 1879 Congress has expressed its concern that confidentiality of data reported by individuals also be preserved. At that time each census taker was required by law to take an oath “not [to] disclose any information contained in the schedules, lists, or statements.” Act of Mar. 3, 1879, ch. 195, §7, 20 Stat. 475, and Act of Apr. 20, 1880, ch. 57, 21 Stat. 75.11 As a result of the detailed questions asked in the 1880 and 1890 censuses, Congress amended the Census Act *357to broaden the confidentiality protections. Act of Mar. 3, 1899, ch. 419, §21, 30 Stat. 1020. The law restricted disclosure unless the Director of the Census authorized that the information be revealed. The governor of any state or the chief officer of any municipal government upon request, however, could receive a list of individuals counted within the territory of the jurisdiction. § 30, 30 Stat. 1021. The Director of the Census frequently was asked to disclose information to cities complaining of undercounts. For example, data was revealed to New York City after the 1890 census in order to allow the city to challenge the accuracy of the federal count. House Committee on the Eleventh Census, Reenu-meration of New York City, 51st Cong., 2d Sess. (1890). See also Decennial Census, at 113-138.
In 1929 Congress again amended the Census Act and provided the confidentiality provisions of § 9. Act of June 18, *3581929, ch. 28, § 11, 46 Stat. 25. The amendment gave the Director of the Census no discretion to release data, regardless of the claimed beneficial effect of disclosure. The confidentiality provisions extended to all information collected by the Bureau of the Census. Decennial Census, at 116. No special access was granted to states or municipalities. In 1976 the confidentiality provision of § 8 was strengthened “to add further protection of privacy” by prohibiting disclosure of information “reported by, or on behalf of, any respondent.” S. Rep. No. 94-1256, pp. £4 (1976). See also H. R. Conf. Rep. No. 94-1719, p. 10 (1976). The prohibitions of disclosure of “material which might disclose information reported by, or on behalf of, any respondent” extend both to “public and private entities,” S. Rep. No. 94-1256, supra, at 4, further indicating that the municipalities requesting disclosure of raw census data have no special claim to the information.
The foregoing history of the Census Act reveals a congressional intent to protect the confidentiality of census information by prohibiting disclosure of raw census data reported by or on behalf of individuals. Subsequent congressional action is consistent with this interpretation. In response to claimed undercounts in the census of 1960 and of 1970, Congress considered, but ultimately rejected, proposals to allow local officials limited access to census data in order to challenge the census count. See H. R. 8871, 95 Cong., 1st Sess. (1977); Hearings on H. R. 8871 before the Subcommittee on Census and Population of the House Committee on Post Office and Civil Service, 95th Cong., 1st Sess. (1977).
A list of vacant addresses is part of the raw census data— the information — intended by Congress to be protected. The list of addresses requested by the County of Essex constitutes “information reported by, or on behalf of,” individuals responding to the census. The initial list of addresses is taken from prior censuses and mailing lists. This information then is verified both by direct mailings and census enumerators who go to areas not responding. See, e. g., 1980 *359Census Questionnaire, Question No. H4 (“How many living quarters, occupied and vacant, are at this address?”). As with all the census material, the information on vacancies was updated from data obtained from neighbors and others who spoke with the followup census enumerators. The final master address list therefore includes data reported by or on behalf of individuals.
Under the clear language of the Census Act it is not relevant that the municipalities seeking the data will use it only for statistical purposes. Section 9(a)(1) permits use of the data only for “the statistical purposes for which it is supplied.” There is no indication in the Census Act that the hundreds of municipal governments in the 50 states were intended by Congress to be the “monitors” of the Census Bureau.12 In addition, limiting use of data only for “statistical” purposes in no way indicates that raw data may be revealed outside the strict requirements of the Census Act that data be handled by census employees sworn to secrecy.13
Because §§ 8(b) and 9(a) of the Census Act constitute withholding statutes under Exemption 3 of the FOIA and because the raw census data in this case was intended to be protected from disclosure within those provisions of the Census Act, the requested information is not subject to disclosure under the FOIA.
*360HH HH H-H
The discovery provisions of the Federal Rules of Civil Procedure, similar to the FOIA, are designed to encourage open exchange of information by litigants in federal courts. Unlike the FOIA, however, the discovery provisions under the Federal Rules focus upon the need for the information rather than a broad statutory grant of disclosure.14 Federal Rule of Civil Procedure 26(b)(1) provides for access to all information “relevant to the subject matter involved in the pending action” unless the information is privileged. If a privilege exists, information may be withheld, even if relevant to the lawsuit and essential to the establishment of plaintiffs claim.
It is well recognized that a privilege may be created by statute.15 A statute granting a privilege is to be strictly construed so as “to avoid a construction that would suppress otherwise competent evidence.” St. Regis Paper Co. v. United States, 368 U. S. 208, 218 (1961). In the case of the city of Denver, the central inquiry is whether §§ 8(b) and 9(a) create a privilege so as to protect against disclosure of the raw census data requested.16
*361As noted above, § 8(b) and § 9(a) of the Census Act embody explicit congressional intent to preclude all disclosure of raw census data reported by or on behalf of individuals. This strong policy of nondisclosure indicates that Congress intended the confidentiality provisions to constitute a “privilege” within the meaning of the Federal Rules. Disclosure by way of civil discovery would undermine the very purpose of confidentiality contemplated by Congress. One such purpose was to encourage public participation and maintain public confidence that information given to the Census Bureau would not be disclosed. The general public, whose cooperation is essential for an accurate census, would not be concerned with the underlying rationale for disclosure of data that had been accumulated under assurances of confidentiality. Congress concluded in §§ 8(b) and 9(a) that only a bar on disclosure of all raw data reported by or on behalf of individuals would serve the function of assuring public confidence. This was within congressional discretion, for Congress is vested by the Constitution with authority to conduct the census “as they shall by Law direct.”17 The wisdom of its classifications is not for us to decide in light of Congress’ 180 years’ experience with the census process.
*362This is not to say that the city of Denver does not also have important reasons for requesting the raw census data for purposes of its civil suit. A finding of “privilege,” however, shields the requested information from disclosure despite the need demonstrated by the litigant.
IV
We hold that whether sought by way of requests under the FOIA or by way of discovery rules, raw data reported by or on behalf of individuals need not be disclosed. Congress, of course, can authorize disclosure in executing its constitutional obligation to conduct a decennial census. But until Congress alters its clear provisions under §§ 8(b) and 9(a) of the Census Act, its mandate is to be followed by the courts.
Accordingly the judgment of the United States Court of Appeals for the Third Circuit in No. 80-1436 is reversed, and the judgment of the United States Court of Appeals for the Tenth Circuit in No. 80-1781 is affirmed.
It is so ordered.