Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

by Davis Wright Tremaine LLP
Contact

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).

With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”
In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring to leave the agency “flexible” enough to deal with a changing security environment. While arguably defensible on statutory construction grounds, the Court’s decision adds to the enormous uncertainty among businesses regarding the vulnerability of their security practices to post hac agency action, an uncertainty that may require adoption of data security policies far more conservative than economic efficiency and balanced consumer protection might otherwise dictate.
The Court did stress that it was only denying Wyndham’s motion to dismiss so as to leave a “liability determination [ ] for another day,” and also noted that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Assuming the case goes forward, Wyndham will certainly challenge whether the various consent orders and guidelines promulgated by the FTC were adequate to provide fair notice of the data security standard companies like Wyndham must meet. Wyndham will also be able to challenge whether its own measures were reasonable in light of any such standard, and to force the FTC to its proof as to whether Wydham’s practices caused substantial injury to consumers that was not reasonably avoidable by those consumers.
Despite its posture, the Wyndham Worldwide decision is an important and long-anticipated one in rejecting many well-accepted arguments about the extent of the FTC’s jurisdiction and the requirement that the FTC provide reasonable notice of its rules. Indeed the Court rejected a contention that prior cases “require[] the FTC to formally publish a regulation before bringing an enforcement action under Section 5’s unfairness prong.” As such the decision has potentially wide-ranging ramifications so we intend to devote some attention to this case over the next few days. Today’s post will summarize the decision itself. Then, over the next several days, we will turn to a more detailed analysis of several key points, including a discussion of “fair notice” and what constitutes “reasonable” data security now.
Summary of the District Court’s Decision
Let’s start with some background. Section 5(a)(2) of the FTC Act empowers the FTC “to prevent persons, partnerships, or corporations” “from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” However, Section 5(n) limits the FTC’s authority to find practices “unfair” to those that cause or are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The unfair practice alleged in the FTC’s complaint was that “Defendants have failed to employ reasonable and appropriate measures to protect personal information against unauthorized access.” The complaint lists ten unreasonable practices by Wyndham, of which the Court highlighted the following that “aligned” with particular alleged data breaches: failure to employ proper password protection; failure to adequately inventory computers connected to Wyndham’s’ network; and failure to employ “readily available security measures” such as firewalls.
In response, Wyndham first argued that the FTC’s power to regulate under the unfairness prong does not include establishment of data-security standards for private businesses. Wyndham pointed to the multitude of laws authorizing federal agencies to create minimum data-security standards in specific sectors, which it contended meant that the very broad language of Section 5 had been narrowed over time.
More significantly, Wyndham argued that under FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), the recent express authorizations of authority to the FTC regulate data security in targeted markets—under The Children’s Online Privacy Protection Act (COPPA), The Fair Credit Reporting Act (FCRA) and The Gramm-Leach-Bliley Act (GLBA)—constituted “powerful evidence that the FTC lacks general authority under Section 5 to regulate data-security practices in cases (like this one) that fall outside the confines of those narrow delegations.” Wyndham also pointed to express disavowals by the FTC of its ability to regulate data security generally.
In Brown v. Williamson, a case involving the Food & Drug Administration’s attempt to regulate tobacco products, the Supreme Court held that where an agency's construction of a statute that it administers is in dispute, a court must determine “whether Congress has directly spoken to the precise question at issue.” Otherwise, the courts must respect the agency’s interpretation. The Supreme Court then examined the underlying statute and subsequent tobacco-specific legislation to reach the “inescapable conclusion” that the FDA was precluded from regulating tobacco. The Court further found that the FDA had repeatedly disavowed jurisdiction over tobacco for many years, and that Congress’ subsequent legislation on the subject “ratified” that disavowal.
The New Jersey District Court in the instant case rejected Wyndham’s arguments under Brown v. Williamson, refusing to “carve out” a data security exception to the FTC’s Section 5 powers. The Court found that unlike in Brown v. Williamson, there was no “inescapable conclusion” that the FTC was precluded from regulating data security outside the narrow confines of COPPA, FCRA and GLBA. Rather, the Court believed that those authorizations could be read consistently with the broader authority under the FTC Act, and as supplemental to that authority rather than contradictory.
The Court then dismissed the express disavowals of jurisdiction made by the FTC, stating conclusory that it was “not convinced that these statements, made within a three-year period, equate to a resolute, unequivocal position under Brown & Williamson that the FTC has no authority to bring any unfairness claim involving data security.” The Court noted that the FTC appeared to have changed its position after that three-year period, but otherwise provided little basis for its reasoning.
The District Court next turned to Wyndham’s argument that the FTC failed to provide “fair notice” as to the standard of conduct Wyndham was required to follow because it had not promulgated any rules or regulations on point; in short, Wyndham maintained that businesses should not be forced to “divine” the FTC’s belief as to what practices will constitute unfair conduct. Wyndham also argued that the appropriate test for determining whether the FTC had provided fair notice was whether the standard of conduct for businesses such as Wyndham had been stated with “ascertainable certainty,” and that the standard cannot be met by announcing rules “for the first time in an enforcement proceeding.”
The District Court, however, found that where an agency is given the choice of engaging in rulemaking or proceeding by individual adjudication, that choice is typically left to the discretion of the agency. The very breadth of the FTC Act, the Court held, suggested that the agency needs flexibility to address complex and differing situations. Refusing to find whether the correct standard was “ascertainable certainty”, the Court held that there was no requirement that the FTC formally publish regulations before bringing an individual claim. In any event, the Court found, there was sufficient “notice” found in “the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure.”
Wyndham’s final argument under the unfairness prong was that the FTC had not properly pled that Wyndham’s practices were unfair because the FTC could not show that the practices caused or were likely to cause substantial injury to consumers that was not reasonably avoidable by those consumers. The Court rejected Wyndham’s contentions on substantial injury and avoidance almost summarily, finding that the FTC Complaint specifically alleged over $10.6 million in fraud loss and other financial injury including unreimbursed fraudulent charges, that Wyndham’s argument that statutory caps on consumer liability eliminate the possibility of substantial injury was unavailing given the FTC’s contrary pleading, and that the question of whether consumers could “avoid” injury by seeking reimbursement for losses was too fact-specific for decision on a motion to dismiss.
More interesting was the Court’s take on causation. The Court found that “[t]he FTC’s allegations also permit the Court to reasonably infer that Hotels and Resorts’ data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers. The FTC alleges ‘a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.’” Presumably many businesses may be surprised to learn that a federal court has now endorsed the FTC view that substandard (whatever that standard may be) security practices actually cause data theft.
Finally, the FTC also avoided dismissal of its claim under the “deception” prong of Section 5. The Court found that defendant’s attempt to draw a distinction between the privacy policy promulgated by Wyndham Hotels & Resorts (the named defendant) and the security failures of its franchisees (Wyndham-branded hotels) was insufficient, at the pleading stage, to preclude a claim. It is unclear on the face of the decision to what it extent the fact that the Court found the deception claim valid may have influenced its decision on the unfairness prong.
Tomorrow: Part II: Fair Notice or No Notice?

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.