In a highly anticipated ruling in April, a federal district court in New Jersey upheld the Federal Trade Commission’s (FTC) authority to prosecute businesses for data security failures in the case of FTC v. Wyndham Worldwide Corporation, et al. Although the court noted that its decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the decision was a resounding victory for the FTC in its ongoing efforts to police businesses’ data security practices. So there is no reason to expect the FTC to scale back its efforts any time soon.
Additionally, the Wyndham decision may empower others outside of the FTC—in particular, state attorneys general and the plaintiffs’ bar. State attorneys general may view Wyndham as implicit support for their own efforts at regulating businesses’ data security practices, despite the lack of specific data security legislation in most states. That is because state attorneys general, like the FTC, rely on statutes that prohibit unfair and deceptive trade practices as the basis for pursuing enforcement actions against businesses involved in a data security incident.
The plaintiffs’ bar may view Wyndham as further confirmation that even businesses in nonregulated industries are required to implement data security measures—no matter how unclearly defined the obligations may be—and that businesses must very carefully comply with privacy and security-related obligations they undertake via representations in published website privacy policies. A failure of either kind could serve as the basis for the next private action by an aggrieved consumer, perhaps even the next class action.
Pre-Wyndham Enforcement Efforts
As background, the FTC is charged with enforcing Section 5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices.” It has the authority to pursue injunctive and monetary relief for conduct injurious to consumers. For the last 15 years, the FTC has interpreted its jurisdiction under Section 5 to extend to data security and has brought a number of high-profile enforcement actions. The FTC has settled over 50 such actions. No case has been fully adjudicated, and the FTC has not issued any formal rules defining what constitutes “unfair or deceptive acts or practices” in the context of data security.
Last year, Wyndham began its challenge to the FTC’s jurisdiction to regulate data security under the FTC Act. The FTC filed suit, alleging that Wyndham Worldwide and two of its subsidiaries (collectively, “Wyndham”) engaged in deceptive and unfair practices in violation of Section 5 by failing to maintain reasonable and appropriate data security for computer systems independently owned by 90 Wyndham-branded hotels linked to Wyndham’s central network. The FTC alleged that this gave hackers access to more than 600,000 consumer payment card account numbers, resulting in more than $10.6 million in fraudulent charges between April 2008 and January 2010. The FTC also alleged that Wyndham engaged in a deceptive act by falsely stating in its website privacy policy that it had implemented reasonable and appropriate measures to protect personal information from unauthorized access.
Making the Decision
Wyndham moved to dismiss the FTC action on several grounds, each of which the federal court rejected in its recent decision.
First, Wyndham challenged the FTC’s authority to assert an unfairness claim in the data security context, arguing that federal legislation authorizing particular agencies to establish minimum security standards in narrow sectors of the economy—such as the financial sector, the health care field, and websites catering to children—is incompatible with the FTC’s generalized enforcement authority under Section 5. The court rejected that argument, finding that the FTC’s unfairness authority over data security can coexist with sector-specific legislation, and that the legislation seems to complement, not preclude, the FTC’s authority.
Second, Wyndham argued that the FTC violated fair notice principles by failing to formally promulgate data security standards before bringing its unfairness claim to enforce them. Wyndham argued that the FTC’s prior consent decrees and its business guidance brochure failed to provide fair notice as to what businesses must do to comply with the law in the highly complex and sophisticated world of data security. The district court rejected this argument, too, noting that the FTC’s public complaints, consent decrees, public statements, and business guidance brochure are readily available to the public. And Wyndham’s own references to “industry standard practices,” and “commercially reasonable efforts,” in its website privacy policy suggested that businesses are aware of basic obligations related to security of personal information about consumers.
Third, Wyndham argued that there was “no substantial injury to consumers that is not reasonably avoidable by consumers themselves,” which is a requirement for “unfairness” claims under Section 5. This argument failed as well, as the court determined that Wyndham’s alleged practices, taken together, permitted the reasonable inference that Wyndham’s data security practices caused theft of personal data, which ultimately caused substantial injury to consumers. This despite the fact that affected consumers may have the benefit of no- or limited-liability agreements with their card issuers, which may go beyond the consumer liability limits imposed by law.
Wyndham’s final challenge, which also was rejected, focused on the limited scope of its website privacy policy and the legal separation between it and its Wyndham-branded hotels. Wyndham argued that its online privacy policy made no representations related to the branded hotels and, instead, expressly excluded them. Focusing its inquiry on how a reasonable consumer would have understood the policy’s representations about data security practices, the court found that it could be read as applying to both Wyndham and Wyndham-branded hotels.
This issue may really muddy the waters for businesses like Wyndham that have many independent franchises doing business under a recognized brand. Might they be expected to regulate not only their own data security practices, but also those of franchisees from which they may be considered legally separate in most other liability-related contexts?
Because of the relative lack of formal rulemaking or binding case authority related to data security practices, particularly in nonregulated industries, it will be important to pay careful attention to further developments involving the FTC and state attorneys general. This will include monitoring and reviewing complaints, consent decrees, and public statements by the agencies, especially while we await some final determination as to whether data security legislation of some kind will be passed at the federal level or in states other than the handful that have such standards already in place.