In a highly anticipated ruling in April, a federal district court in New Jersey upheld the Federal Trade Commission’s (FTC) authority to prosecute businesses for data security failures in the case of FTC v. Wyndham Worldwide Corporation, et al. Although the court noted that its decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the decision was a resounding victory for the FTC in its ongoing efforts to police businesses’ data security practices. So there is no reason to expect the FTC to scale back its efforts any time soon.
Additionally, the Wyndham decision may empower others outside of the FTC—in particular, state attorneys general and the plaintiffs’ bar. State attorneys general may view Wyndham as implicit support for their own efforts at regulating businesses’ data security practices, despite the lack of specific data security legislation in most states. That is because state attorneys general, like the FTC, rely on statutes that prohibit unfair and deceptive trade practices as the basis for pursuing enforcement actions against businesses involved in a data security incident.
The plaintiffs’ bar may view Wyndham as further confirmation that even businesses in nonregulated industries are required to implement data security measures—no matter how unclearly defined the obligations may be—and that businesses must very carefully comply with privacy and security-related obligations they undertake via representations in published website privacy policies. A failure of either kind could serve as the basis for the next private action by an aggrieved consumer, perhaps even the next class action.
Pre-Wyndham Enforcement Efforts
As background, the FTC is charged with enforcing Section 5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices.” It has the authority to pursue injunctive and monetary relief for conduct injurious to consumers. For the last 15 years, the FTC has interpreted its jurisdiction under Section 5 to extend to data security and has brought a number of high-profile enforcement actions. The FTC has settled over 50 such actions. No case has been fully adjudicated, and the FTC has not issued any formal rules defining what constitutes “unfair or deceptive acts or practices” in the context of data security.
Making the Decision
Wyndham moved to dismiss the FTC action on several grounds, each of which the federal court rejected in its recent decision.
First, Wyndham challenged the FTC’s authority to assert an unfairness claim in the data security context, arguing that federal legislation authorizing particular agencies to establish minimum security standards in narrow sectors of the economy—such as the financial sector, the health care field, and websites catering to children—is incompatible with the FTC’s generalized enforcement authority under Section 5. The court rejected that argument, finding that the FTC’s unfairness authority over data security can coexist with sector-specific legislation, and that the legislation seems to complement, not preclude, the FTC’s authority.
Third, Wyndham argued that there was “no substantial injury to consumers that is not reasonably avoidable by consumers themselves,” which is a requirement for “unfairness” claims under Section 5. This argument failed as well, as the court determined that Wyndham’s alleged practices, taken together, permitted the reasonable inference that Wyndham’s data security practices caused theft of personal data, which ultimately caused substantial injury to consumers. This despite the fact that affected consumers may have the benefit of no- or limited-liability agreements with their card issuers, which may go beyond the consumer liability limits imposed by law.
This issue may really muddy the waters for businesses like Wyndham that have many independent franchises doing business under a recognized brand. Might they be expected to regulate not only their own data security practices, but also those of franchisees from which they may be considered legally separate in most other liability-related contexts?
Because of the relative lack of formal rulemaking or binding case authority related to data security practices, particularly in nonregulated industries, it will be important to pay careful attention to further developments involving the FTC and state attorneys general. This will include monitoring and reviewing complaints, consent decrees, and public statements by the agencies, especially while we await some final determination as to whether data security legislation of some kind will be passed at the federal level or in states other than the handful that have such standards already in place.