In a closely watched and first-of-its-kind case, the U.S. District Court for the District of New Jersey rejected, for purposes of a motion to dismiss, a defendant company’s argument that the Federal Trade Commission (FTC) lacks authority to regulate data security practices under Section 5 of the FTC Act. FTC v. Wyndham Worldwide Corp., No. 13-1887(ES), 2014 WL 1349019 (D.N.J. Apr. 7, 2014) (hereinafter “Wyndham”). The FTC sued the Wyndham hotel chain, alleging that it violated Section 5 of the FTC Act, 15 U.S.C. § 45(a), by implementing insufficient data security practices which, in turn, permitted online criminals to hack into Wyndham’s computer network and steal consumers’ personal information. Essentially, the FTC claimed that it is an unfair business practice to collect personal or sensitive customer data and then not employ adequate security measures to protect it, and it also claimed that statements promising security become deceptive in such circumstances.
The Court rejected several arguments advanced by Wyndham, including the argument that the FTC has no authority to regulate data security practices in the private sector.
The underlying dispute grew out of a series of security breaches at the Wyndham hotel chain. Intruders allegedly penetrated Wyndham’s computer network on three occasions between 2008 and 2010 and compromised payment card information for more than 600,000 consumers. The first two breaches revealed a number of security lapses, but appropriate corrective measures were allegedly not taken in a reasonable time frame to prevent further compromise of Wyndham’s network.
In its suit against Wyndham, the FTC alleged that Wyndham’s failure to implement adequate data security measures was an “unfair act” under Section 5(a) of the FTC Act. It also alleged that Wyndham committed a “deceptive act” under Section 5(a) by promising, in its privacy policies, that it employed adequate data security measures.
The Court Denied Wyndham’s Motion to Dismiss
Wyndham moved to dismiss the FTC’s claims on three grounds:
The FTC lacks authority to bring an “unfairness” claim in the data security context. Likening the case to FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), in which the Supreme Court held that the FDA had no statutory authority to regulate tobacco, Wyndham argued that the “overall statutory landscape” prohibited the FTC from establishing data security standards under Section 5. Wyndham, 2014 WL 1349019, at *4. Wyndham also argued that the FTC had previously disavowed the authority to regulate data security under Section 5. See id. at *5.
The FTC violated fair notice principles by bringing its lawsuit before promulgating formal regulations establishing data security standards. See id. at *1.
The FTC failed to allege adequately that Wyndham’s conduct was “unfair” or “deceptive” for purposes of Section 5(a). See id.
The Court rejected each of Wyndham’s arguments, in turn:
The Court rejected Wyndham’s “invitation to carve out a data security exception to the FTC’s unfairness authority because this case is different from Brown & Williamson.” Id. at 6. The problem in Brown & Williamson, explained the Court, was that the FDA’s attempt to regulate tobacco necessarily created an inconsistency in federal policy: the FDA’s mandate would have required it to ban tobacco, but Congress had made clear in recent legislation that it did not intend to ban tobacco. Here, the Court held that “no such dilemma exists” because Wyndham “fails to explain how the FTC’s unfairness authority over data security would lead to a result that is incompatible with more recent legislation.” Id. To the contrary, in the Court’s view, “subsequent data security legislation seems to complement—not preclude—the FTC’s authority.” Id. at *7. The Court also disagreed that the FTC had disclaimed authority to regulate data security, holding that Wyndham failed to identify FTC statements that amounted to a “resolute, unequivocal position . . . that the FTC has no authority to bring any unfairness claim involving data security.” Id. at *8.
The Court rejected Wyndham’s argument that, because the FTC has not issued “rules, regulations, or other guidelines explaining what data-security practices the Commission believes Section 5 to forbid or require,” “it would violate basic principles of fair notice and due process to hold [Wyndham] liable in this case.” Id. at *9. The Court held that the FTC had discretion to proceed by rulemaking or by adjudication, and it held further that prevailing industry standards, the FTC’s previous consent decrees, and the FTC’s business guidance publications provided sufficient notice of what data security practices the FTC considered to be unlawful. See id. at *11-15.
The Court held that the FTC had sufficiently alleged the elements of its claims. As for the unfairness claim, Wyndham argued that the FTC did not adequately allege substantial, unavoidable harm to consumers from the security breaches or that the harm was caused by Wyndham’s alleged data security failures. The Court disagreed on both points. See id. at *15-20. As for the deception claim, Wyndham argued that Wyndham’s privacy policies—on which the FTC’s deception claims were based—do not apply to Wyndham’s franchised hotels, where the breaches allegedly occurred. Wyndham further argued that the FTC’s allegations of deception “amount to nothing more than conclusory statements of wrongdoing that fall well short of establishing a ‘plausible’ claim to relief.” Id. at 20. The Court again rejected both arguments. See id. at *21-24. The Court also decided, as a matter of first impression in the District of New Jersey, that claims under Section 5’s deception prong need not satisfy the heightened pleading standard of Federal Rule of Civil Procedure 9(b). Id. at *21.
Notably, the Court emphasized that the denial of Wyndham’s motion was not a ruling on the merits, and that its decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Id. at *4.
Implications of the Wyndham Decision
In light of congressional inaction on cybersecurity, the FTC has for years regulated by way of investigations and consent decrees. Its decision to sue in district court in Wyndham was not without risk. Had the Court agreed with Wyndham and dismissed the FTC’s claims, the ruling would have called into question years of prior FTC enforcement actions in the data security context (including enforcement actions brought and settled since the FTC filed the Wyndham case), and the agency’s ability to remain the principal data security regulator going forward.
The FTC has taken the position that it is an unfair business practice to collect personal or sensitive customer data and then not employ adequate security measures to protect it, and—at least so far, in the context of a motion to dismiss—a federal court has agreed. If the case continues to play out along these lines, this will be a significant development in the FTC’s favor. Previously, the FTC focused on scrutinizing privacy policies to make sure that companies were not giving false assurances regarding the security of data they collected. (In essence, so long as you don’t say that you are protecting customer data, you don’t have to do so.) But through the Wyndham case, the FTC seems to be moving toward establishing a de facto data security standard that must be met by all holders of consumer data. The exact nature of that standard is yet to be determined, but its contours, once defined, will have a tremendous impact on U.S. companies as they assess their data security practices and capabilities.
The Wyndham decision also preserves the FTC’s discretion to pursue its data security agenda through adjudication (including consent decrees, which the Court accepted as providing notice to other companies of the FTC’s position, even though they are settlements and not litigated results) or rulemaking. Although the issue was not aired extensively in the parties’ briefs, the FTC was no doubt keen to avoid a decision requiring it to regulate data security in the first instance through lengthy, controversial, and uncertain rulemaking proceedings.
Although the case is far from over, change is in the air, and businesses should review their data security practices in light of Wyndham.