In a first of its kind opinion, a New Jersey district court holds that the FTC has the authority to set a standard for consumer data security and that it can sue for breach of that standard under its authority to bring enforcement actions and seek civil penalties for “unfair” and/or “deceptive” practices.
On April 7, 2014, Judge Salas of the District of New Jersey issued a highly anticipated opinion allowing an FTC complaint against Wyndham Worldwide Corporation to move forward. The court rejected the hotel chain’s argument that it “carve out a data security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court.” While the forty-two page decision only addresses a denial of a motion to dismiss, it is the first decision holding that the FTC has authority to set a standard for consumer data security and that the FTC can sue for breach of that standard under its authority to bring enforcement actions and seek civil penalties for “unfair” and/or “deceptive” practices.
The suit stems from the FTC’s allegations that Wyndham failed to maintain “reasonable and appropriate data security for consumers’ sensitive personal information.” Between 2008 and 2010, the FTC alleged that three separate data breaches occurred at Wyndham exposing more than 619,000 consumer payment card account numbers and resulting in over $10.6 million in fraud losses. The FTC’s allegations focused in particular on the fact that “similar techniques” were used during all three breaches and Wyndham failed to implement “reasonable and appropriate security measures” after the first breach occurred.
Wyndham moved to dismiss the suit on three main grounds, each of which was rejected by the court. First, Judge Salas rejected Wyndham’s argument that the FTC lacked authority to assert an unfairness claim in a data-security context, and held that this case was different from Food and Drug Administration v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000). In Brown & Williamson, the critical premise was that Congress had directly spoken to the issue and “precluded the FDA’s jurisdiction to regulate tobacco products.” Judge Salas explained that the Wyndham case was different in that “subsequent data-security legislation seems to complement — not preclude — the FTC’s authority.”
Finally, Judge Salas held that the FTC adequately pleaded its allegations to support an unfairness or deception claim against Wyndham because “[t]he FTC’s allegations also permit the Court to reasonably infer that [Wyndham’s] data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.”
The court was careful to note, however, that this decision was simply a ruling on a motion to dismiss and that a liability determination was “for another day.” The court also explained that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
There are a few key takeaways from FTC v. Wyndham for those who maintain consumer data in a digital/electronic format:
If your company suffers a data security breach, it is important to prevent a similar breach from occurring again or risk a claim that your company acted unfairly and deceptively by failing to take reasonable measures to prevent another breach.
Vigilantly monitor FTC publicly available documents (such as complaints and consent agreements) to decipher what direction the FTC is heading in terms of which data breaches warrant enforcement actions.
Wyndham will pave the way for the FTC to investigate data breaches and bring similar enforcement actions against those companies it finds have failed to live up to its standard.
As it now stands, Wyndham may set the stage for other agencies such as the Consumer Financial Protection Bureau, which has concurrent authority with the FTC over consumer protection, to begin investigating and charging consumer services companies with unfair, deceptive or abusive practices when they have not been able to prevent their systems from being hacked.