On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s authority to police corporate cybersecurity practices. Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corp., which was supported by many prominent business groups, had argued the commission didn't have the power to regulate corporate data-security practices. While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.
It can be argued the growing influence of the FTC in the area of cybersecurity is the result of inaction rather than a deliberate plan to expand the reach of the commission. Despite a clear need, Congress has been unable to pass significant cybersecurity legislation, let alone a comprehensive bill addressing the rising threat posed by cyber attacks. The result of this inaction, lack of clear regulations and absence of a designated enforcement body is a power vacuum, and in Washington such vacuums will eventually be filled. In the case of cybersecurity, it is the FTC that has come forward to fill the void in cybersecurity enforcement.
The FTC has quietly moved to the forefront of the cybersecurity discussion by initiating enforcement actions following cyber attacks. These enforcement actions have resulted in the imposition of tens of millions of dollars in penalties, private settlements and expensive compliance obligations. When private settlements fail, the FTC has initiated litigation to hold corporations accountable for cyber breaches involving customer data. In the absence of cybersecurity legislation or specific grant of authority by Congress, one would be reasonable to question the legal footing upon which the FTC relies to initiate enforcement actions challenging cyber preparedness.
The FTC argued it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” With regard to consumer fairness and protection, the FTC believes Section 5’s “catch-all” prohibition unquestionably covers deceptive data-security practices. It further believes Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy, including cybersecurity. Wyndham and many other business organizations disagreed with this logic and raised their divergent views in the form of a direct challenge to the FTC’s interpretation of its own authority in a proceeding pending before the New Jersey federal court.
In FTC v. Wyndham Worldwide Corporation, et al., the commission initiated an action against Wyndham following a series of cyber breaches at several of the company's branded hotels, where customer credit card information was exposed. The FTC filed suit against Wyndham itself, even though each Wyndham-branded hotel is independently owned and operates a separate computer network. The FTC’s enforcement action did not allege any guest credit card information was compromised, that any improper charges were placed on the credit cards of Wyndham customers or that Wyndham dealt unfairly with its customers. The FTC pressed forward with an enforcement action based on its perceived, long-established authority under Section 5 of the FTC Act to protect consumers’ data from identify theft and other injury as a result of unreasonable data security measures.
The gravamen of the FTC’s action is the belief Wyndham did not maintain “reasonable and appropriate” data-security protections and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive. Unlike other companies pursued by the FTC, Wyndham did not retreat and aggressively defended itself against the allegations. Through its motion to dismiss, Wyndham directly challenged the FTC’s authority to regulate cybersecurity and to initiate enforcement proceedings by relying on Section 5.
In its first line of defense, Wyndham argued cybersecurity regulation and legislation should be developed through the legislative process, not by bureaucrats. Specifically, Wyndham suggested Congress, not the FTC, is the proper body to regulate cybersecurity and that it alone has authority over data-security standards. In support of this position, Wyndham noted that Congress has already “spoken” by enacting federal statutes authorizing particular agencies to establish data-security standards for specified industries or sectors. Wyndham further argued Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Wyndham also took the position that the FTC does not have the expertise or authority to establish data-security standards for the private sector, especially when the commission itself has been hacked.
In addition to challenging the alleged basis for the FTC’s enforcement authority, Wyndham noted that a particularly troubling aspect of the FTC’s enforcement regime is its failure to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations.
In practice, the FTC files an enforcement action against public Company A and enters a settlement agreement with the alleged offender that is confidential and not available to the public. The FTC can then proceed to initiate an action against Company B for violating Section 5 by failing to adopt the policies or procedures implemented through the confidential settlement with Company A. Wyndham questioned how businesses can ensure compliance with the unpublished requirements. Various associations, including the U.S. Chamber of Commerce and American Hotel & Lodging Association, have supported Wyndham by filing an amicus brief in support of the motion to dismiss.
For its part, the FTC was not prepared to accept any limitation on its ability to regulate cybersecurity using Section 5 of the FTC Act. In opposing the motion to dismiss, the FTC fervently maintained that its broad consumer protection mandate authorizes it to regulate the entire economy. Simply put, the FTC believes it currently has the right to protect consumers from known, evolving and unanticipated threats, without the need for a specific delegation of authority from Congress. The FTC characterized Wyndham’s suggestion that the FTC is prohibited from acting in any given sector of the economy — including cybersecurity — as unprecedented and unsupported.
With regard to the lack of formal regulations, the FTC disputes Wyndham’s contention regarding the necessity of guidelines, arguing it is simply not practicable to have highly particularized guidelines on data security. Arguing in support of a loose regulatory framework, the FTC believes it has provided considerable guidance to companies through public statements and 19 enforcement actions on data breaches. The FTC takes the position that this is sufficient to provide industry with “notice of different features of data security that must be evaluated in order to maintain a reasonable data-security program.” Analogizing cybersecurity to tort law, the FTC argued it will be up to the court to determine if a particular company’s data-security measures are “reasonable.”
Framing the parties' dispute, Judge Salas noted that Wyndham’s “motion to dismiss demands that this [c]ourt carve out a data-security exception to the FTC’s authority and that the commission publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.
On the central issue of whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas rejected the argument that permitting the FTC to exercise authority over data security would lead to a result “that is incompatible with more recent legislation and thus would “plainly contradict congressional policy.” Addressing Wyndham’s reliance on FDA v. Brown & Williamson Tobacco Corp., an important U.S. Supreme Court decision limiting the scope of the U.S. Food and Drug Administration's authority, Judge Salas found that “unlike the FDA’s regulation over tobacco, the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” In this regard, the failure of Congress to enact a comprehensive cybersecurity regime inured to the benefit of the FTC. Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.”
After finding that Section 5 permits the FTC to wade into cybersecurity waters, the court addressed the argument that it would violate basic principles of fair notice and due process to hold Wyndham liable absent clear “rules, regulations or other guidelines explaining what data-security practices the [FTC] believes Section 5 to forbid or require.” Rephrasing Wyndham’s argument, Judge Salas noted the issue is not whether the FTC must provide fair notice, but rather “whether fair notice requires the FTC to formally issue rules and regulations before it can file an unfairness claim in federal district court.”
After analyzing the law, the court ultimately concluded the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that "[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”
The outcome of the motion to dismiss is significant to the parties in this action and, depending how other courts rule, may prove to be a pivotal event when it comes to shaping the future of cybersecurity enforcement. With the wind at its back and its authority upheld, the FTC will most likely be further empowered to regulate cyber breaches and to expand its influence in the area of cybersecurity enforcement. In light of this decision, companies would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms and evaluate cyber protocols in light of all relevant FTC rulings and statements. These steps will go a long way to ensure one’s cybersecurity practices are deemed adequate and “commercially reasonable” by the FTC.
"Back Off Business, Cybersecurity Is FTC's Turf Now," by Steven L. Caponi appeared in the June 10, 2014 edition of Law360. To learn more, please click here or visit www.law360.com. Reprinted with permission from Law360.