Ftc v. Wyndham Worldwide Corporation, Et Al. and the Ftc's Authority to Regulate Companies' Data Security Practices
| Jurisdiction | United States,Federal |
| Author | By Kathryn F. Russo |
| Publication year | 2014 |
| Citation | Vol. 23 No. 2 |
By Kathryn F. Russo1
In a landmark decision, FTC v. Wyndham Worldwide Corp.,2 a federal court held for the first time, that the FTC has authority under Section 5 of the Federal Trade Commission Act3 to enforce the prohibition against unfair and deceptive acts or practices in the field of data security. Although the FTC has brought data security enforcement actions against companies under Section 5 for over a decade, the Wyndham decision is significant because it is the first time a federal court has held, in the face of robust opposition, that the FTC has authority under Section 5 to bring such actions. As detailed below, the FTC alleged that Wyndham's failure to maintain reasonable data security standards violated Section 5 of the FTC Act.4 In response, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.5 The District Court denied Wyndham's motion to dismiss and held, among other things, that (i) the FTC has authority pursuant to Section 5 of the FTC Act to assert an unfairness claim in the data security context, (ii) the FTC provided fair notice of what constitutes an unfair data security practice and is not required to issue regulations before bringing an unfairness claim, and (iii) the FTC's complaint sufficiently plead an unfairness claim under the FTC Act.6 Because some California courts of appeal have applied the FTC's three-prong definition of unfair, the Wyndham decision has implications on California's Unfair Competition Law as well.
Although the District Court held that the FTC has authority under Section 5 to bring data security actions against companies, it is important to note that the Court's opinion is in the context of a motion to dismiss. The issue as to whether there was substantial injury to consumers will need to be litigated. Additionally, the Court makes clear that its decision is not a "blank check" for the FTC to bring lawsuits against any company that has experienced a data breach. 7
[Page 164]
In August of 2012, the FTC brought an action8 against Wyndham Worldwide Corporation and three of its subsidiaries pursuant to Section 5 of the FTC Act9 alleging Wyndham violated Section 5(a)'s prohibition of"acts or practices in or affecting commerce" that are "unfair" or "deceptive." The FTC alleges that Wyndham's failure to maintain reasonable and appropriate data security standards for consumers' sensitive personal information allowed hackers to gain unauthorized access to Wyndham's computer networks on three occasions and resulted in "more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to a domain registered in Russia."10 Specifically, the FTC alleges that Wyndham (a) failed to use firewalls; (b) stored payment card information in clear readable text; (c) failed to implement adequate information security policies and procedures; (d) failed to remedy known security vulnerabilities; (e) used default user IDs and passwords; (f) did not require the use of complex passwords; (g) failed to adequately inventory computers; (h) failed to employ reasonable measures to detect and prevent unauthorized access to computer networks; (i) failed to follow proper incident response procedures; and (j) failed to adequately restrict third-party vendors' access to Wyndham's network.11 The FTC alleges that taken together, such data security failures unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.12 Further, the FTC argues that such unreasonable exposure has caused and is likely to cause substantial injury to consumers and businesses.13 For example, the FTC states that consumers and businesses suffered financial injury including, "unreimbursed fraudulent charges, increased costs, and lost access to funds or credit."14 Based on Wyndham's alleged unfair and deceptive acts and practices in violation of Section 5, the FTC requests the Court enter a permanent injunction and grant other relief the Court deems proper.15
B. Wyndham's Motion to DismissIn response to the FTC's complaint, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.16
[Page 165]
First, Wyndham argues that the FTC's unfairness authority under Section 5 of the FTC Act does not extend to the regulation of data security practices of private companies.17 Wyndham equates the FTC's action with FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000).18 In Brown & Williamson, the U.S. Supreme Court held that Congress did not grant the FDA jurisdiction to regulate tobacco products and stated, "if tobacco products were within the FDA's jurisdiction, the Act would require the FDA to remove them from the market entirely. But a ban would contradict Congress' clear intent as expressed in its more recent, tobacco-specific legislation."19 Wyndham contends that akin to Brown & Williamson, since the enactment of the FTC Act, Congress has "settled on 'a less extensive regulatory scheme' and passed narrowly tailored legislation."20 Wyndham cites various laws including the Fair Credit Reporting Act ("FCRA"), the Gramm-Leach-Bliley Act ("GLBA"), the Children's Online Privacy Protection Act ("COPPA"), and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") as evidence that the FTC lacks general authority under Section 5 to regulate data security practices.21 Additionally, Wyndham argues that in light of pending cybersecurity legislation and the "important economic and political considerations involved in establishing data-security standards for the private sector...it defies common sense to think that Congress would have delegated that responsibility to the FTC ...."22 Further, Wyndham contends that like the FDA in Brown & Williamson, the FTC disclaimed its authority to regulate data security under its Section 5 unfairness authority the FTC would have to promulgate data security rules before holding Wyndham liable for any violations of Section 5 related to data security. on various occasions.23
Second, Wyndham argues that even if the FTC has authority under Section 5 of the FTC Act to regulate data security standards for private companies, Wyndham cannot be held liable because the FTC did not provide fair notice of what Section 5 requires.24 Wyndham argues that fair notice requires the FTC to publish data security rules and regulations establishing guidance and performance measures for companies to follow.25 Wyndham states, "[b]ecause the FTC has not published any rules, regulations, or other guidelines explaining what data-security practices the Commission believes Section 5 to forbid or require, it would violate basic principles of fair notice and due process to hold [Wyndham] liable in this case."26 Additionally, Wyndham argues that agencies in general "cannot use enforcement actions simultaneously to make new rules and to hold a party liable for violating the newly announced rule."27 In sum, Wyndham argues that
[Page 166]
Third, Wyndham argues that Section 5 does not govern the security of payment card data.28 Pursuant to Section 5, an act or practice is unfair if the act or practice "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing...
To continue reading
Request your trial