FTC's Unfairness Authority Upheld In Wyndham Data Security Litigation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Thomas O'Toole and Katie W. Johnson  

April 8 -- The Federal Trade Commission has authority under the unfairness prong of the FTC Act to bring an enforcement action against Wyndham Hotels and Resorts LLC to remedy its alleged unreasonable data security practices, the U.S. District Court for the District of New Jersey held April 7.

Judge Esther Salas ruled that it isn't necessary for Congress to have explicitly given the FTC authority to wield the FTC Act against companies who cause consumer and business harm by maintaining weak data security systems. Nor is it necessary, the court said, for the FTC to promulgate prior data security regulations explaining in detail which security practices are lawful and which aren't.

Enforcement 'Flexibility Necessarily Inherent.'

The FTC's 2012 enforcement action against Wyndham Worldwide Corp. and several of its subsidiaries alleged that network intrusions proximately led to more than $10.6 million in payment card fraud losses .

Wyndham moved to dismiss, arguing that the FTC exceeded its congressional authority and that its use of enforcement actions created a piecemeal data security standard that failed to give the company notice of which practices were lawful .

The court said “the untenable consequence” of Wyndham's argument that the commission put specific rules in place before moving against poor data security would be to force the FTC that “to cease bringing all unfairness actions without first proscribing particularized prohibitions--a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”

Approval of De Facto Legal Standards?

“This ruling gives a judicial stamp of approval to the FTC’s ongoing enforcement of commercial data security practices,” Christopher Wolf, partner at Hogan Lovells US LLP in Washington, told Bloomberg BNA April 8.

“Unless this decision is overturned on appeal or another court rules to the contrary or Congress acts to clarify authorities to regulate cybersecurity, security practices that the FTC deems as 'unreasonable' or 'inappropriate' in informal guidance or in complaints issued along with consent orders will continue to serve as a de facto legal standard for data security in the United States,” Wolf said.

But Edward McNicholas, partner at Sidley Austin LLP in Washington, told Bloomberg BNA April 8 that “the suggestion by some commentators that the FTC is developing a 'common law' of information security misses that mark that the FTC consent decrees always involve the FTC winning.”

The commission doesn't “articulate cases in which it will decline to take action,” McNicholas, who is a member of the Privacy & Security Law Report advisory board, said. “A true body of common law is marked by its ability to restrain governmental authority as well as private actors, but the FTC's practice of publishing only those resolutions where it has wrung some concessions from defendants inhibits the development of a true 'common law' of information security.”

No 'Blank Check' for FTC

In the court's view, Wyndham was essentially asking for a FTC Act carve-out for data security, a request it found no basis in the law to grant.

But the ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the court said. “Instead, the Court denies a motion to dismiss given the allegations in this complaint--which must be taken as true at this stage--in view of binding and persuasive precedent.”

“This ruling gives a judicial stamp of approval to the FTC’s ongoing enforcement of commercial data security practices.”  
Christopher Wolf, Partner,
Hogan Lovells US LLP, Washington

The ruling will “permit the FTC to continue the reasonably aggressive enforcement approach they have pursued for a decade in more than 50 cases,” Kirk Nahra, a partner at Wiley Rein LLP in Washington, told Bloomberg BNA April 8. It will also “perhaps embolden them to be more aggressive now that their authority has been supported thoroughly and completely by the court,” Nahra, who is a member of the advisory board of the Privacy & Security Law Report, said.

“This decision will reduce pressure on Congress to pass data security legislation,” Nahra predicted.

“This is obviously a significant win for the FTC,” Stephen P. Satterfield, an associate at Covington & Burling LLP, in Washington, told Bloomberg BNA April 7. “But it’s important to recognize that this is just Round 1 of what could be a very long battle.”

'Long Way to Go.'

The ruling is important, Fred H. Cate, distinguished professor and C. Ben Dutton professor of law at Indiana University Maurer School of Law, told Bloomberg BNA April 8, because it is the first published opinion on the issue and it upheld the FTC's authority “against a very strong and comprehensive challenge.”

“I suspect that the court's view of the legal issues is unlikely to change should the case proceed,” Cate added.

But some commentators may have overstated the opinion's importance, Cate said. “It is only a motion to dismiss and so the court did not address any of the factual allegations, especially Wyndham's claim that the individuals whose credit cards were compromised may not have suffered sufficient harm,” he said.

Wyndham “may still win this battle, even if they fail to prevail in the broader war over the scope of FTC's authority,” he said.

The ruling is merely one district court ruling and Wyndham will likely appeal, Cate said. He pointed to a separate challenge by LabMD Inc. to the FTC's Section 5 enforcement authority in data security cases, which is pending in the U.S. District Court for the Northern District of Georgia (LabMD, Inc. v. FTC, No. 1:14-cv-00810-WSD (N.D. Ga. Mar. 20, 2014)) .

“In short, there is a long way to go before the issue of the FTC's authority over information security and privacy practices is finally resolved,” Cate said.

McNicholas said the commission “must now be acutely aware that it must articulate its information security expectations for companies and avoid taking the view that every company that suffers a data breach has somehow acted unfairly.”

Congress Didn't Exclude Data Security

The court rejected Wyndham's argument that the FTC had exceeded its statutory authority for the same reasons identified by the U.S. Supreme Court in FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), which concluded that the Food and Drug Administration lacked authority to mandate disclaimers on tobacco packages.

Brown & Williamson involved a situation in which Congress clearly intended to exclude tobacco products from the FDA's enforcement authority, the district court noted here. No similar congressional intent is evident with respect to the FTC and data security, the court said.

Nothing in Congress's several specific enactments of FTC authority in the area of data security--including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children's Online Privacy Protection Act--contradicts the FTC's assertion of jurisdiction to enforce data privacy standards under the FTC Act, the court said.

No Rules or Regulations Required

The court also held that the FTC doesn't have to promulgate rules and regulations to satisfy fair notice principles.

The court noted that the U.S. Court of Appeals for the Ninth Circuit, in FTC v. Neovi Inc., 604 F.3d 1150 (9th Cir. 2010) , and the Tenth Circuit, in FTC v. Accusearch Inc., 570 F.3d 1187 (10th Cir. 2009) , affirmed FTC unfairness enforcement actions without rules or regulations addressing the specific conduct at issue.

In addition, the Third Circuit has held that an agency has the discretion whether to litigate or regulate, the court said, citing Voegele Co. v. Occupational Safety & Health Review Comm'n, 625 F.2d 1075 (3d Cir. 1980).

Allegations Satisfy Pleading Requirements

The court concluded that the FTC's complaint sufficiently pleads an FTC Act unfairness claim and satisfies federal pleading requirements.

It found the FTC's allegation of injury sufficient, declining Wyndham's invitation to find the case analogous to Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), which held that an increased risk of identity theft from a data breach doesn't satisfy Article III injury-in-fact standing requirements .

But unlike the facts of Reilly, here the FTC has alleged misuse of the breached information, the district court said.

“The opinion flags what may well be the Achilles' Heel for the FTC's action,” McNicholas said. “Although the opinion recognizes that the agency adequately pled substantial consumer injury, it will be interesting to see if they agency has any actual evidence of substantial consumer injury.”

The court also held that the FTC could proceed against Wyndham on its additional allegation that the gap between the promises Wyndham made in its privacy policy and the actual circumstance of its data security practices was sufficiently wide to support a deceptive practices claim under the FTC Act.

Appeal or Settlement?

Satterfield said it is likely that Wyndham--the first company, after a long line of settlements in similar cases, to challenge the FTC's authority--will seek to immediately appeal the decision to the U.S. Court of Appeals for the Third Circuit.

Nahra said that “the case now becomes a normal enforcement proceeding.” Unless Wyndham decides to appeal, the case will likely result in a settlement that “mirrors” the FTC's “typical case,” he said.

“I hope Wyndham does appeal, so that we get a more definitive answer, but I am also glad that the FTC prevailed at this level so that its critical role in providing a backstop of protection for information security is not called into question,” Cate said.

Allison M. Lefrak, Katherine E. McCarron, Kevin H. Moriarty, Kristin Krause Cohen, Andrea V. Arias, James A. Trilling, John A. Krebs, Jonathan E. Zimmerman and Lisa Weintraub Shifferle, of the FTC, in Washington, represented the commission. Jennifer A. Hradil and Justin T. Quinn, of Gibbons PC, in Newark, N.J., represented the defendants.


To contact the reporters on this story: Thomas O'Toole in Washington at totoole@bna.com; Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/FTC_v_Wyndham_Worldwide_Corp_No_213cv01887ESJAD_2014_BL_94785_DNJ.

For additional insight on this ruling, please see the related report by law professors Woodrow Hartzog and Daniel J. Solove.

Request Bloomberg Law Privacy and Data Security