Wyndham Case Threatens to Put FTC Out of Data Security Business

The Federal Trade Commission has a critical piece of litigation on its hands in a New Jersey federal court. A case that could be decided any day. After filing, and settling, over a dozen enforcement actions asserting that lax data security measures were an "unfair" trade practice, one FTC target had the nerve to fight back: Wyndham Hotels. The hotel chain claims that the FTC lacks legal authority to, in effect, legislate data security standards for U.S. businesses via its existing authority under Section 5 of the FTC Act.

The stakes are high, and the case could be decided any day now. If the FTC escapes this case with its legal authority to bring enforcement claims against companies for shoddy data security intact, then U.S. businesses will likely be hearing from the FTC more often and their information technology practices will receive an unprecedented level of government scrutiny.

 Green Stamps

If, on the other hand, the FTC loses the Wyndham Hotels case, the country's public policy on data security will be a problem for Congress and Congress alone to solve. (Just writing the words "problem for Congress to solve" makes me smile.) Congress has had data security on its agenda for over a decade with very little evident progress. Unfortunately, whenever Congress is forced to devote attention to the topic, it is always in the unproductive context of the crisis of the moment: the Sept. 11 attacks or, recently, Edward Snowden's impolite declaration that our spies are spying on us.

The briefing on Wyndham Hotels's motion to dismiss is complete and the case is ready for decision. A month ago, on June 12, Wyndham Hotel's counsel requested a hearing on its motion to dismiss. The court has not responded to that request, raising the possibility that a decision is imminent.

The FTC's Case Against Wyndam Hotels

Here is what the FTC found when it looked into Wyndham Hotel's information security practices. According to the FTC's complaint, Wyndham Hotels:

  • failed to limit access among different computer networks through the use of readily available measures, such as firewalls;
  • permitted improperly-configured software, resulting in the storage of payment card information in clear text;
  • failed to ensure that Wyndham-branded hotels had adequate information security policies in place prior to allowing them to access Wyndham’s computer network;
  • failed to require servers attached to its networks to have the latest security patches from manufacturers;
  • permitted servers on its network with commonly-known default user IDs and passwords;
  • failed to follow best practices for password complexity;
  • failed to inventory the computers on its network in order to permit Wyndham to identify the origin of intrusion efforts;
  • failed to employ reasonable measures to detect and prevent unauthorized access;
  • failed to follow proper procedures to prevent repeated intrusions; and
  • and failed to restrict third-party access to its network.

The end result of these alleged data security failures? Three security breaches in a two-year span, resulting in $10.6 million in fraud losses.

The FTC Act, 15 U.S.C. 45(a)(1), prohibits "unfair or deceptive acts or practices." The FTC's first amended complaint against Wyndham -- seeking only equitable relief -- alleged two violations of this statute:

  1. The hotel defendants engaged in “deceptive” practices by misrepresenting that they took “commercially reasonable efforts” to secure customers’ payment card data; and
  2. The hotel defendants’ engaged in “unfair” practices because their lax security measures failed to adequately protect this payment card data.

The FTC does not have unfettered authority to declare a particular business practice "unfair" and hence unlawful. In response to what some claimed were enforcement excesses at the time, Congress, in 1994, placed a limit on the FTC's authority to bring enforcement actions against allegedly "unfair" business practices. That year it added Section 5(n) to the FTC Act, a provision that states:

The Commission shall have no authority under this section or section 18 to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes is or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by the countervailing benefits to consumers or to competition. 15 U.S.C. 45(n).

The FTC contends that its enforcement action against Wyndham meets the criteria set out in Section 5(n). According to the FTC, Wyndham Hotel's customers suffered a substantial injury from Wyndham Hotel's unreasonable data security practices; this injury was not reasonably avoidable by the customers; and there were no countervailing benefits to Wyndham Hotel's allegedly lax security practices.

"Wyndham could have avoided or remedied these unreasonable data security practices through readily available, low-cost measures," the FTC argued in its brief in opposition to Wyndham's motion to dismiss.

Wyndham Hotel's Case Against the FTC

Wyndham's brief in support of its motion to dismiss attempts to undermine the FTC's claim to legal authority from every possible angle. Most of the arguments are what I call "lobbyist arguments" -- arguments that are high on rhetoric and short on evidence. Congress tends to swallow this stuff hook, line, and sinker, often in cases where the 99 percent of the country's lowliest trial court judges would ask, "Where's your evidence, counselor?" At one point, Wyndham Hotels argued that it "defied common sense" to believe that Congress gave the FTC authority to regulate data security under the FTC Act. (An appeal to common sense. That made me smile too.) My reading of the briefs left me with the impression that the FTC/FTC Act combo is not an ideal way to promote sound data security practices; however, I didn't come away from the brief believing that the FTC clearly lacks authority to bring this case.

Here are Wyndham Hotel's and friends' arguments, in the time-tested Top 10 format:

1. Wyndham Is Victim Here

The illusory consumer harm in this case also underscores how much the FTC must twist Section 5 to bring an enforcement action against WHR. WHR, unlike the consumers in this case, lost millions of dollars and suffered significant reputational harm when cybercriminals attacked its network. Yet the FTC wants to turn a statute designed to protect consumers from unscrupulous businessmen, [...] into a tool to punish businesses victimized by criminals. This is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided. Not only is this result senseless, it cannot be what Congress intended when it enacted Section 5.  

Wyndham Hotels Motion to Dismiss, p. 21  

A classic appeal to sympathy. We're victims too. Why isn't the FTC going after the real bad guys? Wyndham Hotels may regret going down this rhetorical path, since it invites the reader to substitute more appropriate, and less favorable metaphors. For instance, a bank that leaves the front door open, resulting in the theft of its customers' deposits.

2. Our "National Nanny"

Emboldened by vague Supreme Court dicta comparing the agency to a “court of equity,” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244 (1972), the Commission set upon a series of rulemakings and enforcement actions so sweeping that the Washington Post dubbed the agency the “National Nanny.”  

Amicus Brief, TechFreedom, et al., pp. 2-3  

Here we have the argumentum ad hominem, a classic but (as we learned in logic class) fallacious argument. Focus on the speaker rather than the speaker's argument. We all know about nannies: well-intentioned but bumbling, micro-managing tsk-tskers who spoil all the fun. Just because the FTC attempted to parlay a high court blessing to run the green stamps business into a position of authority over other areas of commercial activity doesn't mean that now, 40 years later, the agency lacks authority to protect consumers against the millions of dollars lost each year due to identity theft and credit card fraud. The National Nanny might have a point here.

3: Nobody Gave the FTC This Power

Large and small businesses already are subject to a dizzying array of federal statutes that establish data-security standards in specific sectors of the economy. None of those statutes, however, apply in this case. Notwithstanding that statutory silence, the FTC argues that the general language of Section 5 gives it the broad authority to set data-security standards for any American business operating in any industry. No court has ever held that Section 5 gives the FTC such unbounded authority.  

Wyndham Hotels Motion to Dismiss, p. 1  

Then again, no court has ever ruled that the FTC lacks authority to enforce a minimal set of generally accepted data security practices. The brief's resort to the "no court has ever held" rhetorical device seems intended to suggest that the judicial path of least resistance -- upholding the FTC's assertion of enforcement authority under its own statute -- is in fact the most audacious route the court could take. The case has been assigned to Judge Esther Salas, an Obama appointee who received her judicial commission in 2011. We'll soon know the mettle of this relatively new judge, and how she responds to this sort of argument.

4. The FTC Once Said It Lacked Authority Over Data Security

The FTC itself previously agreed that it lacked the very authority that it purports to wield in this case. On multiple occasions in the 1990s and early 2000s, the FTC publicly acknowledged that it lacked authority to prescribe substantive data-security standards under Section 5. For that very reason, the FTC has repeatedly asked Congress over the past decade to enact legislation giving it such authority.  

Wyndham Hotels Motion to Dismiss, p. 3  

There is quite a bit of back-and-forth in the briefs over what FTC officials did, or did not, say in their testimony to Congress on data security enforcement many years ago. It seemed to me that Wyndham Hotel's attorneys are attempting to make hay out of a stray comment, taken out of context, and that they are ignoring quite a bit of testimony from FTC officials clearly declaring the agency's belief that it has authority to use the "unfair" practices prong of Section 5 to remedy lax data security practices. In any event, the legality of the FTC's action against Wyndham is not going to turn on a stray comment, allegedly uttered years ago.

5. The Overall Statutory Landscape

The overall statutory landscape strongly suggests that the “unfair … acts or practices” language in Section 5 of the FTC Act should not be interpreted to empower the FTC to establish data-security standards for the private sector.  

Wyndham Hotels Motion to Dismiss, p. 8  

Wyndham Hotel's "overall statutory landscape" argument goes like this: At one point in time, the FTC might plausibly have claimed that it had authority under Section 5's "unfairness" prong to regulate data security. However, the recent string of legislative enactments giving the FTC power over data security in sector-specific areas -- the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, the Health Insurance Portability and Accountability Act, the HITECH Act, and the Cable Television Consumer Protection and Competition Act -- have foreclosed the argument that the FTC has broad statutory authority over data security standards in all industries. This struck me as Wyndham's best argument; it will be interesting to see how the court responds to it. The FTC ridicules this argument, however, claiming that what Wyndham Hotels is asking for is a data security carve-out to Section 5.

6. Not Enough Notice

The FTC’s enforcement action in this case should be dismissed because the Commission never provided the “fair notice” that the Constitution and these cases require. The text of Section 5 itself clearly provides no meaningful notice to regulated parties—it generically prohibits “unfair and deceptive” business practices without going into any further detail as to what practices might be deemed “unfair” or “deceptive.” 15 U.S.C. § 45. And making matters worse, the FTC has published no rules or regulations at all explaining what data-security practices a company must adopt to be in compliance with the statute.  

Wyndham Hotels Motion to Dismiss, p. 11  

In this portion of its brief, Wyndham Hotels claims that there was no way for it to know that its data security practices were unlawfully shoddy until the FTC's complaint landed on its doorstep. Perhaps, but I question that assertion. Most attorneys in this field watch the FTC like hawks, carefully poring through FTC settlements in search of policy guidance. The FTC settled many (19, I believe) cases asserting that lax security practices violated Section 5's "unfairness" prong before it turned its attention to Wyndham Hotels. Whether these enforcement actions, and the manner in which they were settled, provided reasonable notice to Wyndham Hotels regarding what the law required will be another issue that should loom large in Judge Salas' decision.

Wyndham Hotels also argues that the FTC has provided no evidence as to what the supposed "standard" security practices are, or how Wyndham allegedly fell short of them.

7. No Consumer Injury

[B]ecause of the special nature of payment card data, consumer injury from the theft of such data is never substantial and always avoidable. Federal law places a $50 limit on the amount for which a consumer can be liable for the unauthorized use of a payment card. [...] And all major card brands have adopted policies that waive liability for even that small amount. Consumers can thus always “reasonably avoid” any financial injury stemming from the theft of payment card data simply by having their issuer rescind any unauthorized charges.  

Wyndham Hotels Motion to Dismiss, p. 11  

A familiar argument, and a real battleground so far in privacy class action litigation. Clearly the alleged security shortcomings by Wyndham Hotels cost somebody over $10 million. Is the FTC limited to considering just those injuries suffered by consumers, and not the credit card companies or their insurers?

8. No Causation

Even looking past the FTC’s conclusory allegations of “unreasonable” security, the Commission also has not adequately pleaded causation. See 15 U.S.C. § 45(n). The Amended Complaint contains no factual allegations showing how the alleged data-security failures caused the intrusions, or how the intrusions resulted in any particular consumer harm.  

There are some causation issues that will have to be worked through if this case gets past the summary judgment stage. Wyndham Hotels operates its hotels through a franchisor-franchisee relationship. Some computer networks are operated by Wyndham, others by franchisee hotel operators. Wyndham Hotels argues that the FTC has failed to adequately allege which networks were breached, what information was compromised, and how any of this resulted in injury to consumers.

9. Data Security Too Dynamic for Regulators

The FTC historically has had an important, statutorily mandated role to play in protecting consumers. But its attempt to expand its current unfairness enforcement power to the technically complex and dynamic risk-management practices of businesses in almost every sector has stretched its statutory authority beyond the breaking point.  

U.S. Chamber of Commerce amicus brief, p. 28  

The argument that the internet is too dynamic and complex to regulate has been a policy assumption for some time now, but its vitality is quickly waning. In 2013, I don't think anybody believes that the "system of tubes" is so complex that it defies rational regulation. Is there any doubt that, if Congress were to write a generally applicable data security bill, the main feature of that bill would be to delegate the details to the FTC? The FTC is already involved in quite a bit of data security policy pursuant to legislation already on the books. 

10. Enforcement Turns Franchise Law on its Head

Finally, Wyndham Hotels claims that the FTC's action contravenes basic principles of franchise law because the complaint is, in effect, seeking to hold Wyndham Hotels liable for the data security failures of its franchisees. A franchisor is liable for a franchisee's misdeeds only when the franchisor directly controls the franchisee. The security mess identified in the FTC complaint is evidence of the lack of control Wyndham had over its franchisees. So the argument goes. There are a lot of knotty fact issues here; and the defendants have asked for a stay of discovery until the matter of the FTC's authority is resolved. It doesn't appear likely that this issue will is susceptible of resolution at the summary judgment stage.

Read for yourself. Here are the principal briefs filed so far in this case: