In the wake of the Federal Trade Commission’s (FTC) increasingly active enforcement of data privacy violations, a recent case, FTC v. Wyndham Worldwide Corporation, raises the interesting and controversial issue of the scope of the FTC’s authority to regulate data security in the absence of specific legislation.  How far can the FTC go in establishing and enforcing data security standards under its purported “unfairness” authority?  This case will provide much-needed guidance in answering this unresolved question.   

In June 2012—in what Wyndham calls “unprecedented litigation”—the FTC filed a complaint against Wyndham Worldwide Corporation, Wyndham Hotels & Resorts LLC, and related entities, charging that the Wyndham entities misrepresented their information security measures and repeatedly failed to safeguard consumers’ personal information, which resulted in the compromise of several hundred thousand consumers’ payment card data and a $10.6 million loss due to fraud.  In a press release issued shortly thereafter, the FTC declared that the enforcement action against Wyndham is part of its “ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.”

The FTC’s complaint, filed in the U.S. District Court for the District of Arizona, alleged violations of Section 5 of the FTC Act, 15 U.S.C. § 45, which bars “unfair or deceptive acts or practices in or affecting commerce.”  In the past decade, the FTC has brought 41 enforcement actions against companies alleging data security violations.  In each of these actions, the defendant entered into a settlement agreement (“consent decree”) before any significant litigation activity.  However, Wyndham Hotels & Resorts LLC, taking a novel and aggressive approach, recently moved to dismiss the FTC’s enforcement action on the ground that the Commission has no authority to “impose general data-security standards” upon businesses in all industries in the absence of specific legislation.

The FTC has filed a response to Wyndham’s motion, and Wyndham has filed a reply brief.  Amicus curiae briefs have also been filed by the International Franchise Association as well as a coalition of organizations that includes the U.S. Chamber of Commerce, the Retail Litigation Center, and the American Hotel & Lodging Association.

Wyndham’s Motion to Dismiss

In its motion, Wyndham Hotels & Resorts LLC argues that while the FTC may bring enforcement actions against companies that make “deceptive” statements to consumers, it has no statutory authority to establish and enforce data security standards under the “unfairness” prong of Section 5.  Wyndham contends that this case is a “classic example of agency overreaching,” as Congress’s failed attempts to enact data security laws—including the Cybersecurity Act of 2012 and eight other bills in 2011 alone—and the “robust debate” among the President, legislators and others about the proper scope of data security laws, confirm that Section 5 cannot be construed so broadly.

Wyndham points to the FTC’s Privacy Report to Congress in 2000 in which the FTC explained that it lacked “authority to require firms to adopt information practice policies,” requesting broader legislation requiring websites to “take reasonable steps to protect the security of the information they collect from consumers.”  Moreover, Wyndham notes, Congress has enacted no fewer than 10 federal statutes granting the FTC explicit authority to regulate data security practices in specific, limited contexts, including:

Wyndham advances several other arguments, including:

  1. the FTC’s attempt to exercise its authority over data-security practices through adjudication, rather than rulemaking, violates fundamental principles of fair notice and due process;
  2. the theft of payment card data does not constitute a “substantial injury” that is “not reasonably avoidable by consumers themselves” under Section 5 of the FTC Act because federal law limits consumer liability for unauthorized payment card use to $50 and all major card brands waive liability for even that amount;
  3. the conclusory allegations of the FTC’s unfairness count fail to state a plausible claim for relief under federal pleading requirements; and
  4. the FTC’s deception claim fails because it alleges that Wyndham Hotels & Resorts LLC’s online privacy policy deceived consumers regarding data security measures of Wyndham-branded hotels, which are independent franchisees of Wyndham Hotels & Resorts for which it made no representations.

Wyndham’s motion concludes that the Commission’s approach “would subject businesses to vague, unpublished, and uncertain requirements that would drastically alter the competitive landscape—without Congress or the President actually settling the debate about the costs and benefits of data security for American businesses.”

FTC’s Opposition to Motion to Dismiss

In its opposition, the FTC argues that Wyndham’s position lacks statutory or precedential support, that the Commission has consistently applied its authority to data security practices, and that Congress has confirmed this authority both implicitly and explicitly. 

Pointing to the legislative history of the FTC Act, the FTC contends that Congress purposely delegated broad power to the FTC under Section 5 of the Act and that Congress has rejected attempts to enumerate specific, prohibited acts and practices under the statute.  Thus, the FTC argues, Wyndham’s criticism that data security “is not enumerated in the ‘plain text of Section 5’ . . . simply states the obvious: Section 5 does not identify specific acts or practices.”  The FTC also points to a number of established uses of Section 5’s unfairness provision to prohibit unfair practices affecting commerce, including: unsafe farm equipment, online check drafting and delivery, business opportunity scams, weight loss products, and telephone billing processors.

The FTC argues that Wyndham mischaracterizes its Privacy Report from 2000, claiming that it referred only to the Commission’s authority over data security “absent unfair or deceptive practices.”  The FTC notes that it has brought 41 data security cases since 2000, and has routinely reported and publicized its data security program and enforcement activities to Congress, consumers, and industry.  The FTC contends, therefore, that it has “never disavowed” its authority over unfair practices related to data security.  The FTC also argues that the federal statutes addressing data security in specific contexts complement and enhance, rather than restrict, its “legal tools” available for enforcing data security, and congressional inaction in the area of data security “affirms the FTC’s interpretation of the scope of the FTC Act.”

In response to Wyndham’s argument that the FTC’s unfairness count fails to satisfy the federal pleading standard, the FTC argues that this count identifies, with specificity, ten data security failures that led to the theft of hundreds of thousands of consumers’ payment card data and millions of dollars in fraud loss, including failures related to: firewalls, storing sensitive data unencrypted and without business need, security patches, and password policies.  The FTC contends that Wyndham offers “no serious argument” that the FTC has failed to state a claim for unfairness under the FTC Act, which requires a showing that: (1) an act or practice caused or is likely to cause substantial injury to consumers; (2) the injury was not reasonably avoidable by consumers; and (3) the injury was not outweighed by countervailing benefits.  See 15 U.S.C. § 45(n).

Rejecting Wyndham’s argument that the FTC must address data security through rulemaking, the FTC notes that under U.S. Supreme Court precedent, an agency is not precluded from announcing new principles in an adjudicative proceeding.  The FTC also argues that the financial injury to consumers here—unreimbursed fraudulent charges, increased costs, lost access to funds and credit, time and money resolving fraudulent charges and mitigating subsequent harm—was “precisely the type of substantial injury” contemplated by the FTC Act: a “small harm to a large number of people.”  Lastly, the FTC contends that contrary to Wyndham’s argument, Wyndham’s privacy policy makes express representations about information collected by its franchisees.

Wyndham’s Reply Brief

Wyndham’s reply brief responds to the arguments made in the FTC’s opposition and reiterates the arguments in its motion to dismiss.  Wyndham argues that it is “implausible” that Congress, through a statute enacted in 1914 prohibiting “unfair” trade practices, would have given the FTC authority to regulate the “extremely complex computer systems” that companies use to protect consumer information today.

Wyndham contends that although the FTC claims that its own activities provide a basis for its enforcement authority, Congress has never endorsed the theory that the FTC has “unfettered authority to act as a roving policeman of data security.”  In fact, Wyndham argues, the FTC’s pattern of enforcement actions show that it has been using the high costs of litigation to “strong-arm” companies into “voluntary compliance without the opportunity for judicial review.”  Congress’s mere acquiescence to the FTC’s regulation of data security, Wyndham adds, should not be accepted as a plausible theory of statutory interpretation.  Wyndham also notes that the FTC’s examples showing the established uses of its unfairness authority all involved misleading or fraudulent conduct, neither of which are present in the case against Wyndham. 

Amicus Brief of U.S. Chamber of Commerce, the Retail Litigation Center, and the American Hotel & Lodging Association

The crux of the argument in the amicus brief of the U.S. Chamber of Commerce, the Retail Litigation Center, and the American Hotel & Lodging Association is that the FTC’s unfairness authority “does not permit it to set and enforce—whether through litigation or consent orders—general data-security policy.”  The amici note that no company’s data security is perfect, and “breaches do occur, exposing digital information,” but that the FTC has overreached by seeking redress not against the thieves, but against the businesses being victimized.  They further point out that Congress has not authorized the FTC to regulate data security and the FTC has repeatedly lobbied for legislation providing it with rulemaking authority in the area of general data security, thus far to no avail.

The amici argue that the Commission’s “piecemeal regulation by consent order” has enabled it to “impose unilaterally its evolving policy choices on businesses without the oversight the legislative branch,” without judicial review, and without participation from interested stakeholders.  Such regulation, the amici add, gives no advance notice to businesses on what they must to do comply with the law in a “rapidly changing technological environment.”

Amicus Brief of International Franchise Association

The amicus brief of the International Franchise Association (“IFA”) asserts similar arguments to those in the Chamber of Commerce’s amicus brief.  However, the IFA’s brief also argues the FTC’s deception claim fails because it “ignores the basic legal principle that a franchisor may be held liable for the actions of its franchisee only when it directly controls the franchisee’s conduct.”  In fact, the IFA argues, the FTC’s allegations show Wyndham’s apparent lack of control over its franchisees’ data security practices, and holding Wyndham liable in these circumstances “would stand basic principles of franchise liability on their head.”

The IFA adds that the franchise business model allows the franchisee to operate as an independent business enterprise, a “limited independent contractor, marked neither by one party’s absolute control over the other nor by the sharing of proceeds.”  The IFA concludes, therefore, that Wyndham cannot be held liable for its franchisees’ purported data security vulnerabilities, since it did not actually control its franchisees’ data security practices.

Comment

FTC v. Wyndham Worldwide Corporation presents an important issue—the scope of the FTC’s authority to regulate data security under Section 5 of the FTC Act—and could have significant implications for future FTC enforcement actions.  In particular, the case brings to the fore the issue of the FTC’s authority to regulate data security under the “unfairness” prong of Section 5.

The FTC’s attempts to stretch the boundaries of its enforcement authority and to impute liability to Wyndham for its franchisees’ alleged data security failures are concerning for businesses.  There have been few challenges to the FTC’s authority to enforce data security laws, since prior cases have settled by consent orders.  Wyndham has mounted a strong attack on this purported authority, and a decision in its favor would severely limit the FTC’s authority in the area of data security going forward.