Future of FTC Data Security Enforcement Hinges on Forthcoming Wyndham Ruling

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Jan. 2 — A hotel chain has presented the U.S. Court of Appeals for the Third Circuit with an unprecedented opportunity to define the Federal Trade Commission's authority to police the data security practices of U.S. companies.

Many companies have agreed to settle the FTC's data security enforcement actions. But hotelier Wyndham Hotels & Resorts LLC instead pushed back against the FTC, arguing that the commission lacks the authority under the unfairness prong of Section 5 of the FTC Act, 15 U.S.C. § 45, to bring data security enforcement actions. It also claimed the commission failed to provide adequate notice of what security practices it expects of companies.

Wyndham is unlikely to win its appeal of a district court decision in favor of the FTC, legal analysts told Bloomberg BNA. But a Third Circuit decision in favor of Wyndham might significantly affect the FTC's authority to patrol the data security and privacy practices of companies, they said.

“The decision’s going to be very important for both parties,” Linn Foster Freedman, a partner at Nixon Peabody LLP's Providence, R.I., and Boston offices and leader of the firm's Privacy & Data Protection Group, said. “If the FTC wins, it will just give the FTC fuel for their fire of enforcement. If Wyndham wins, the FTC will have to evaluate its enforcement process.”

Daniel J. Solove, the John Marshall Harlan research professor of law at George Washington University Law School, said that if the court affirms the district court's decision, “not much will change for businesses, as an affirmation means that the FTC can go on as it has been.

“If the court reverses and limits the FTC’s power, then everything could be plunged into chaos,” Solove said. “It will be hard for a court to rework the FTC’s jurisdiction in a way that doesn’t open up a Pandora’s box of questions and uncertainties.”

The appeal also illuminates the need for clear rules or guidelines on data security from the FTC, some practitioners said. “What business really needs here is clear rules of the road, and unfortunately when there’s after-the-fact enforcement like this based on broad concepts like unfair practices, that doesn’t provide the clarity that business needs,” Peter Karanjia, a partner at Davis Wright Tremaine LLP in Washington and co-chair of the firm's appellate practice group, said.

Hacks Prompted FTC Action

Following three separate hacker intrusions into Wyndham's network within two years, in 2012 the FTC initiated an enforcement action against Wyndham Worldwide Corp. and three of its subsidiaries, alleging that they failed to maintain reasonable security.

In April, the U.S. District Court for the District of New Jersey denied the motion to dismiss by Wyndham Hotels & Resorts, ruling that the FTC has authority under the unfairness prong of Section 5 of the FTC Act to bring a data security enforcement action against the company and doesn't have to issue data security rules (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL 94785 (D.N.J. Apr. 7, 2014)).

The Third Circuit granted Wyndham's petition for an interlocutory appeal of portions of the district court's opinion.

First Chance for Appeals Court Clarity

Legal analysts said this case gives a federal appeals court—for the first time—the opportunity to clarify the FTC's role in data security.

“Because companies typically settle these cases in the early stages, no federal appellate court has ever had a chance to weigh in on whether Section 5 actually gives the FTC this authority,” Jeff Kosseff, an associate at Covington & Burling LLP in Washington, said. “The entire privacy and data security community is closely watching this case.”

Stacey Brandenburg, counsel at ZwillGen PLLC in Washington, said she hopes the Third Circuit “will be able to offer some clarity regarding the issues before it—in particular, regarding the role of the FTC in establishing data security standards—as that would benefit both businesses and the Commission.”

“When the FTC first entered this space, there were few entities providing guidance about what steps companies should consider to help protect their customer’s information from breaches; now, the landscape has changed somewhat, and it would be helpful for the court to determine whether the FTC's role in this space is warranted, and justified by law,” Brandenburg, who previously worked with the FTC’s Division of Privacy and Identity Protection, said.

Impact Beyond Third Circuit

The court's opinion will likely have wide-ranging consequences for corporate data security and privacy in the U.S., analysts said.

“Even though the court’s opinion only will be binding in the Third Circuit, it could have a big impact on the FTC’s ability to regulate data security,” Kosseff said. The court's decision might affect the debate in the next Congress, he said, noting that lawmakers have introduced measures in the past that would provide the FTC with the authority to regulate data security.

If the court rules in favor of Wyndham and weakens the power of the FTC, the U.S.-European Union Safe Harbor Program, “something that the EU finds unsatisfying and is thinking of changing, will be put further in jeopardy,” Solove said. The program allows U.S. companies to lawfully transfer personal data outside the European Economic Area because they have self-certified their compliance with privacy principles similar to those found in the EU Data Protection Directive (95/46/EC).

In addition, Solove questioned how states such as California would fill the hole left by the FTC.

“Anything that weakens the FTC could have ripple effects throughout privacy law, and we should not expect all the other policy makers to stand still,” he said. “The irony is that if the FTC is pushed back, what might fill the void could be less favorable to industry.”

How Will the Court Rule?

The analysts generally predicted that the Third Circuit would rule in favor of the FTC on most of the issues on appeal.

“The district court’s decision was well-written and correct,” Woodrow N. Hartzog, associate professor at Samford University Cumberland School of Law, said. “The court’s logic is consistent with many other cases that confirm the FTC’s broad grant of authority in disputes outside of data security.”

Solove said he thinks the Third Circuit will affirm the lower court's decision. “The district court’s decision was right on the mark,” he said. “The FTC has very broad jurisdiction.”

Edmund Mierzwinski, director of the Consumer Program at U.S. PIRG in Washington, also expects the Third Circuit to uphold the FTC's position. “Of course, if Wyndham were to unexpectedly prevail, I cannot speculate on the recklessness and sloppy practices that would flourish, likely necessitating Congressional action to clean up the mess, because the FTC has very limited rulemaking powers,” he said.

“If I had to bet on the outcome, I’d bet that Wyndham would lose on the statutory authority questions but get some kind of a half-victory on pleadings and/or fair notice,” Berin Szoka, president of technology think tank TechFreedom, said. “Even a decision that’s mostly, even entirely, a loss for Wyndham could force the FTC to change how it operates.

“Legally, it’s worth noting that Wyndham is on weaker ground at this stage in the litigation because it has to show not merely that the FTC hasn’t made a convincing Section 5 case overall, but that its briefs don’t meet the fairly low bar set for pleadings,” Szoka added.

“Even a partial win for Wyndham on either the pleadings and notice argument could significantly change the FTC’s approach to case-by-case enforcement by requiring the FTC to do much more to explain its analysis of the ‘criteria set forth in Section 5(n),' ” Szoka said. That section of the FTC Act requires an unfair act or practice to cause, or likely cause, “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Need for Clear Rules and Guidance?

The appeal also highlights the need for the FTC to provide clear rules and guidance concerning best data security practices, some practitioners said.

“There certainly is a very strong business need in the area of cybersecurity to know what is expected of companies in terms of procedures and practices,” Karanjia said. Statements about expecting businesses not to engage in unfair practices, or expecting businesses to have adequate procedures in place, don't “give the clarity they need,” he said.

Freedman also expressed concern with the lack of guidance on data security from the FTC. It is “like the FTC is saying we have broad jurisdiction over any data breach but we’re not going to tell you what the guidelines are,” she said. The prospect of an FTC data security enforcement action given the lack of guidance and the sophistication of cyberattacks makes for a “very challenging environment for all companies and all industries,” she said.

But Robert Gellman, an independent privacy consultant based in Washington, said he expects the FTC to win the Wyndham appeal primarily because there is existing security guidance. Industry standards, such as the Health Insurance Portability and Accountability Act Security Rule, “are pretty similar and make it clear what organizations should do,” he said. “Even though the FTC did not (and probably cannot) issue its own standards, Wyndham should not have had any difficulty knowing what to do.

“If the challenge had been to an FTC privacy action, there really aren't any generally accepted privacy standards,” Gellman added, noting that the Wyndham case was “the wrong case for industry to bring.”

FTC Commissioner Julie Brill said in August that the commission isn't “looking for perfect security.” The commission takes action against “companies that didn't engage in very reasonable practices, didn't patch known vulnerabilities and that engaged in activities that really fell below the reasonableness line,” she said at the Aspen Forum, a conference sponsored by the Technology Policy Institute.

‘Classic Administrative Overreaching.'

“This lawsuit represents classic administrative overreaching,” Wyndham argued in its opening appellate brief. “Until the decision below, no court in the history of American law had ever interpreted the FTC's authority over ‘unfair' business practices to encompass a company's efforts to secure its own computer networks.”

The FTC also failed to provide fair notice of what “reasonable and appropriate” cybersecurity practices are, the hotel chain argued. “In essence, the Commission has adopted a ‘we know it when we see it' approach that leaves every business in the land vulnerable to selective enforcement,” it said.

The commission failed to set forth facts demonstrating that consumers suffered a “substantial injury” that isn't “avoidable,” as required to establish an unfair business practice, Wyndham added. “That is not surprising, as any consumer could avoid any fraudulent charges by simply notifying his or her payment-card company,” it said.

In its reply brief, Wyndham said the FTC's argument that a breach of “reasonable standards of care” in protecting consumer information constitutes an unfair business practice “is nothing more than an allegation of negligence,” which doesn't suffice to establish an unfair practice.

Several organizations submitted friend-of-the-court briefs in support of Wyndham, including: the Washington Legal Foundation and the Allied Educational Foundation; the Electronic Transactions Association; and the Chamber of Commerce, the American Hotel & Lodging Association and the National Federation of Independent Business.

FTC: Section 5 Is ‘Open-Ended.'

The FTC responded that Congress purposely wrote Section 5 in “open-ended terms,” given that threats to consumers would evolve.

The commission said its administrative ruling in a separate enforcement action against medical testing company LabMD Inc. is entitled to deference. In that action, the FTC determined that its authority under the unfairness prong of Section 5 extends to the data security practices of companies.

Wyndham had fair notice of the obligation to take reasonable steps to protect customer data under “ordinary common-law negligence principles,” the FTC's own complaints and consent orders and its 2007 “Guide for Business” on “Protecting Personal Information,” the commission argued.

The FTC also pointed to several alleged facts that it says demonstrate “substantial injury,” including “unreimbursed charges, impaired access to credit, and the time and money consumers wasted cleaning up the mess caused by Wyndham's repeated security lapses.”

Several organizations filed friend-of-the-court briefs in support of the FTC, including: the Electronic Privacy Information Center and 33 technical experts and legal scholars; Public Citizen Inc., the Center for Digital Democracy and Consumer Action; and the Center for Democracy & Technology and the Electronic Frontier Foundation.

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com