By Thomas O'Toole
April 7 -- The Federal Trade Commission has authority under the “unfairness” prong of the FTC Act, 15 U.S.C. §45(a), to bring enforcement actions to remedy unreasonable data security practices, the U.S. District Court for the District of New Jersey held April 7.
Judge Esther Salas ruled that it is not necessary for Congress to have explicitly given the FTC authority to wield the FTC Act against companies who cause consumer and business harm by maintaining weak data security systems. Nor is it necessary, the court said, for the FTC to promulgate prior data security regulations explaining in detail which security practices are lawful and which are not.
The court noted that the Ninth Circuit, in FTC v. Neovi Inc., 604 F.3d 1150 (9th Cir. 2010), and the Tenth Circuit in FTC v. Accusearch Inc., 570 F.3d 1187 (10th Cir. 2009), have already affirmed FTC “unfairness” enforcement actions without preexisting rules or regulations addressing the specific conduct at issue. In Judge Salas' view, Wyndham was essentially asking for a FTC Act carve-out for data security, a request she found no basis in the law to grant.
Between April 2008 and January 2010, the defendants, Wyndham Worldwide Corp. and related business entities, suffered a series of intrusions into their computer networks, resulting in the loss of more than 619,000 payment card account numbers, according to the FTC complaint. The FTC further alleged that these intrusions proximately led to more than $10.6 million in fraud losses.
According to the FTC, these losses were attributable to unreasonably weak data security practices by Wyndham. The FTC alleged that Wyndham:
• failed to limit access among different computer networks through the use of readily available measures, such as firewalls;
• permitted improperly configured software, resulting in the storage of payment card information in clear text;
• failed to ensure that Wyndham-branded hotels had adequate information security policies in place prior to allowing them to access Wyndham’s computer network;
• failed to require servers attached to its networks to have the latest security patches from manufacturers;
• permitted servers on its network with commonly known default user IDs and passwords;
• failed to follow best practices for password complexity;
• failed to inventory the computers on its network in order to permit Wyndham to identify the origin of intrusion efforts;
• failed to employ reasonable measures to detect and prevent unauthorized access;
• failed to follow proper procedures to prevent repeated intrusions; and
• and failed to restrict third-party access to its network.
The FTC Act, 15 U.S.C. §45(a)(1), prohibits “unfair or deceptive acts or practices.” The FTC, in a complaint that sought only equitable relief, alleged two violations of §45:
• Wyndham engaged in “unfair” practices because its lax security measures failed to adequately protect customers' payment card data.
Wyndham moved to dismiss, arguing that Congress had failed to give the FTC the necessary authority to enforce data security standards by using the FTC Act's “unfairness” authority against it. Further, Whydham argued that the FTC's practice of using enforcement actions and thereby creating a data security standard piecemeal, on a case-by-case-basis, failed to give it notice of which practices were lawful and which were not.
The court rejected Wyndham Hotels' argument that the FTC had exceeded its statutory authority for the same reasons identified by the U.S. Supreme Court in FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), a case in which the high court ruled that the FDA lacked authority to mandate disclaimers on tobacco packages. Brown& Williamson involved a situation in which Congress clearly intended to exclude tobacco products from the FDA's enforcement authority, the district court noted here. No such congressional intent is evident with respect to the FTC and data security; in fact, the court added, nothing in Congress's several specific enactments of FTC authority in the area of data security--e.g., the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children's Online Privacy Protection Act--contradict the FTC's assertion of jurisdiction to enforce data privacy standards under the FTC Act.
“This is obviously a significant win for the FTC,” Stephen P. Satterfield, an attorney in the Privacy and Data Security practice group at Covington & Burling LLP, Washington, D.C., told Bloomberg BNA. “But it’s important to recognize that this is just Round 1 of what could be a very long battle.”
Satterfield said it is likely that Wyndham Hotels--the first company, after a long line of settlements in similar cases, to challenge the FTC's authority--will seek to immediately appeal the decision to the Third Circuit. “Even if the case does not immediately go up for appeal, the FTC has a long way to go before it can declare victory here,” he said.
The FTC was represented by Allison Michelle Lefrak, Federal Trade Commission, Washington, D.C. Wyndham Worldwide Corp. was represented by Jennifer A. Hradil, Gibbons PC, Newark, N.J.
To contact the reporter on this story: Thomas O'Toole in Washington at firstname.lastname@example.org
To view additional stories from Telecommunications Law Resource Center™ register for a free trial now