In April, Edith Ramirez, Chairwoman of the FTC, and Julie Brill, FTC Commissioner, tweeted: “Pleased the court recognized @FTC’s authority to hold biz accountable for safeguarding consumer data & look forward to trying this case.” This tweet was celebratory, but signaled caution to companies regulated by the Federal Trade Commission (FTC).
The tweet referred to the decision of the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide Corp., which affirmed that the FTC has authority to regulate cybersecurity under Section 5 of the Federal Trade Commission Act (FTCA). The FTC had charged the hotel chain with unfair and deceptive trade practices “in connection with [Wyndham’s] failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The FTC alleged that Wyndham’s security failures allowed hackers to access its Phoenix, Arizona data center in three data breaches in 2008 and 2009, during which consumers’ accounts were exposed, more than $10.6 million in fraud loss was incurred, and consumers’ payment card account information was exported to a Russian-registered domain. The FTC claimed certain statements on Wyndham’s website and privacy policies were deceptive, including the hotel chain’s assertion: “We safeguard our Customers’ personally identifiable information by using industry standard practices. Although ‘guaranteed security’ does not exist either on or off the Internet, we take commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”
Wyndham responded to the enforcement action with an aggressive motion to dismiss, asserting that the FTC did not have the power to regulate corporate data security practices. But the court favored a broad reading of the FTC’s power, noting Congress vested the commission with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” In early July, Wyndham asked the Third Circuit Court of Appeals to hear two interlocutory questions: (1) whether Section 5 of the FTCA grants the FTC authority to regulate corporate data security, and, (2) if so, what notice the FTC must give before bringing unfairness claims.
The Wyndham case undoubtedly will embolden the FTC in its enforcement efforts against businesses that collect or use consumer information, including those in the healthcare, hospitality, and mobile applications industries. Therefore, organizations should review not only their data and cybersecurity protocols but also their data protection policies—and do so under the protection of the attorney-client privilege. Although the FTC does not publish the rules and regulations determined through confidential settlements with FTC-regulated companies—a main component of Wyndham’s argument regarding the lack of notice for compliance purposes—the FTC has published public statements and maintains it provides guidance through its enforcement actions on data breaches. Corporate legal departments should evaluate these FTC rulings and statements and compare their company’s cybersecurity practices against them to ensure they are using “commercially reasonable” measures.