Court Sides with FTC on Sweeping Data Security Role

by Dechert LLP
Contact

Executive Summary: Federal Trade Commission v. Wyndham Worldwide Corp.

A U.S. District Court has ruled this week that the Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to bring enforcement litigation against companies whose data security practices are deemed to be “unfair” or “deceptive.” The ruling does not require the FTC to issue any standards or guidelines as to what data security practices are sufficient in the eyes of the FTC. The ruling is likely to lead to an increase in FTC enforcement actions and private litigation.

For more than a decade, the FTC has targeted companies for maintaining what the FTC believes are unreasonable data security safeguards. Because there is currently no federal law, regulation, or agency guidance that spells out the data privacy standards that all companies operating in the U.S. must satisfy, the FTC has proceeded under its general authority to address “unfair” or “deceptive” business practices. The FTC has stepped in not only in cases of actual data breaches involving the theft or unauthorized disclosure of customers’ personal data, but also in circumstances where the FTC believes there may be deficiencies in a company’s data security systems that create a risk of potential future consumer harm.

In recent enforcement actions, the FTC has reached beyond traditional concepts of “deceptive” commercial practices and has begun to challenge a broader category of allegedly “unfair” security practices that may involve no false or misleading marketing statements or failure to follow published data privacy policies. In one recent example, the FTC has complained about a company’s failure to require regular password updates, an omission that the FTC views as commercially “unreasonable.” For such asserted failings, the FTC has sought significant concessions from companies, such as implementation of a comprehensive information security program and a commitment to regular audits over the course of twenty years.

The FTC’s authority to take action against allegedly “unfair” or “unreasonable” data security practices, in addition to “deceptive” practices, met its first serious challenge in a recent case in federal district court in New Jersey. On April 7, 2014, the U.S. District Court for the District of New Jersey upheld the FTC’s far reaching authority over the reasonableness of data security practices and rejected a challenge to such authority raised by Wyndham. The court affirmed the FTC’s enforcement authority despite the absence of any articulated standards and despite the existence of multiple sector-specific data security statutes and regulations enforced by other agencies.

The FTC’s views on the reasonableness of data security practices may have a significant impact going forward on companies that maintain consumer data. These views will be expressed by the FTC not through notice-and-comment rule-making and application of clear regulations but rather through consent orders, speeches by FTC leadership, and public workshops.

The U.S. district court did not reach any decision on the merits as to whether the defendants, Wyndham and related parties, are liable for unreasonable or deceptive practices. Rather the court denied a motion to dismiss on the pleadings, forcing Wyndham to settle or continue to litigate against the FTC. This precedent will give the FTC greater leverage over companies under investigation and an enhanced ability to force companies to undergo expensive litigation over the reasonableness of their data security practices.

The FTC’s Allegations Against Wyndham

In a series of attacks between 2008 and 2010, hackers gained access to Wyndham’s computer network and into the separate computer networks of several independently-owned, Wyndham-branded hotels. From there, the attackers may have accessed credit card information the independent hotel owners collected from their guests. The responsible individuals, allegedly Russian cyber criminals, have not been caught.

In 2012, the FTC initiated a lawsuit against Wyndham. The FTC contended that Wyndham had failed to reasonably secure their computer network, and that this failure constituted an unfair or deceptive practice under Section 5(a) of the FTC Act, 15 U.S.C. § 45. The FTC’s case included a typical deceptive practices claim -- that Wyndham disseminated misleading privacy statements indicating that customer information would be reasonably secured. In addition to the deceptive practices claim, however, the FTC took the stance of alleging that Wyndham’s failure to employ certain security practices itself warranted sanction under Section 5 as an unfair trade practice.

The FTC’s unfair trade practices claim highlighted a range of specific data security measures that the FTC alleges Wyndham did not employ. Wyndham’s alleged failures included, for example, storing payment information in clear text and failing to employ firewalls. The FTC argued that in addition to conflicting with the company’s privacy statements, Wyndham’s deficient security practices were likely to cause substantial injury to consumers that consumers could not reasonably avoid themselves, and that the lax security provided no countervailing benefit to consumers. The FTC attributed the hackers’ ability to access Wyndham computer networks to these “unfair” security lapses.

Wyndham’s Attack on the FTC’s Statutory Authority

Wyndham moved to dismiss both claims. It characterized the FTC’s lawsuit as an unprecedented attempt to stretch a broadly worded, century-old statute to provide authority to regulate sophisticated technologies not contemplated by its drafters or even by current members of Congress. Wyndham argued that the unfairness claim must be dismissed either because the FTC’s authority under Section 5 does not extend to data security or, alternatively, because the FTC did not provide fair notice of what Section 5 would require.

First, Wyndham argued that the broad, general language of Section 5, prohibiting “unfair . . . acts or practices,” does not give the FTC authority to prescribe specific data security standards to apply across all industries. Congress has approved an array of statutes setting specific data-security standards for individual sectors, belying a reading of Section 5 that would provide the FTC more general authority. Meanwhile, multiple efforts to pass a comprehensive data-security law have failed in Congress. Thus, Wyndham accused the FTC of seeking to sidestep the political process in order to claim authority not provided by any current law.

Second, Wyndham argued that even if the current FTC Act provides authority over data-security standards, enforcement of a vague unfairness standard in the absence of concrete data security rules violated its due process rights. Wyndham observed that the FTC has not published regulations or guidelines instructing companies what specific data safeguards Section 5 requires. Without providing fair notice defining which security practices would be considered ‘unfair,’ the FTC should not punish companies for failing to comply.

The FTC’s Response

The FTC defended its authority to bring enforcement actions alleging unfair data security practices, by arguing that Section 5 is a flexible provision capable of addressing changing business norms and that Wyndham and other companies are well aware of what it requires.

The FTC first argued that Section 5 is designed to respond flexibly to changing business practices and over the years has addressed other unfair practices that use new technologies, such as telephone billing and online check drafting. Data security is no different from those other new technologies. In addition, the FTC maintained that no contradiction exists between its broad authority under Section 5 and sector-specific laws enhancing its authority within particular industries. Finally, the FTC disputed the idea that Congress’s inability to pass a comprehensive data security law stripped its authority over unfair data practices, noting that several recent bills explicitly recognized its existing authority over data security.

Second, the FTC contended that Wyndham and other businesses already have fair notice of what constitutes ‘unfair’ data security practices: “unreasonable data security practices are unfair.” The FTC pointed to government and industry sources as providing further clarity regarding reasonable data security, highlighting voluntary industry standards, such as those published by the National Institute of Standards and Technology (NIST), and consent orders entered in recent data security enforcement actions. Ultimately, the FTC defended its ability to define unfairness case-by-case through individual enforcement actions, and it argued that such an approach simplified efforts to fight cybercrime and provided flexibility in an area of constant change.

Practical Impact of the Decision

U.S. District Judge Esther Salas denied Wyndham’s motion to dismiss, ruling that the FTC had adequately stated claims that Wyndham engaged in both unfair and deceptive practices by failing to maintain reasonable data security that would protect consumers’ personal information from unauthorized access. 

Unfairness. The court ruled that the FTC’s complaint adequately stated a claim that Wyndham’s data security practices were “unfair.” In so ruling, it confirmed that the FTC has the authority to regulate unfair data security practices and that the FTC may develop data security standards through case-by-case adjudication, a process that serves to complement the sector-specific data security laws and regulations that have been enacted.

In light of the Wyndham decision, the FTC will continue to challenge data security practices that it views as unreasonable, without providing a comprehensive set of requirements that companies may safely follow. Companies should look to the patchwork of FTC views expressed in consent orders, speeches by FTC leadership, and public workshops, as well as industry publications, to identify prudent security measures.

Deception. The court ruled that the FTC’s complaint adequately stated a claim that Wyndham’s data security policies were “deceptive.” Specifically, Wyndham’s privacy policy included statements that it used “industry standard practices” and made “commercially reasonable efforts” to maintain appropriate safeguards to protect customer information. The FTC alleged that these statements were misleading because Wyndham failed to employ various specific safeguards to protect consumer data. Despite disclaimers contained in the privacy policy, the court drew all inferences in favor of the FTC and declined to dismiss the deception claim. As a result of the Wyndham ruling, companies should take care to ensure that general promises to use “industry standard” or “commercially reasonable” protective measures reflect specific investments in data security technologies.

Permissive Pleading Standards. In more than one instance, the court declined Wyndham’s invitation to hold the FTC to strict pleading standards. With respect to the “unfairness” claim, the court rejected Wyndham’s argument that the FTC could not allege facts establishing substantial consumer injury. Wyndham emphasized that federal law limits consumer liability for the unauthorized use of a payment card to $50. And indeed, in practice, none of the major credit card companies charge consumers even this minimal amount when their payment information is compromised. Nevertheless, the Court ruled that the FTC’s general allegations -- that at least some consumers suffered an unreimbursed financial injury -- sufficed to survive a motion to dismiss. With respect to the “deception” claim, the court rejected Wyndham’s contention that Rule 9(b) heightened pleading standards should apply. The practical effect of these rulings may extend past FTC enforcement actions and into private litigation. In particular, the decision may further embolden plaintiffs bringing cases under state law based on unfair or deceptive trade practices.

The court emphasized that the Wyndham decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Nevertheless, the decision further cements FTC authority over data security, as it allows the FTC to hold companies responsible for lax security practices in the absence of any clear guidelines for those companies to follow. Companies should continue to insist that the FTC articulate clear standards identifying practices that are unlawful versus merely imperfect.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Contact
more
less

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!