In FTC v. Wyndham Worldwide Corp., No 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014)—a case closely watched by privacy and data security professionals across the United States—a federal district court held that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act") to regulate data security practices and to bring enforcement actions targeting those practices deemed insufficient.Notwithstanding any appeal in the case, the FTC's increasingly active role of late in regulating data security practices and the federal district court's decision in Wyndham means that businesses should assess and, where appropriate, implement security measures that meet industry standards. Businesses should also review existing privacy policies in order to ensure consistency with actual practices.
First, the court rejected Wyndham's claim that given the "recent data-security legislation and the FTC's public statements," it is clear that the FTC does not have the power to "assert an unfairness claim in the data-security context." The court explained that recent legislation is not clearly incompatible with the notion that the FTC has existing authority to regulate data security. Rather, the court explained that the new legislation supplements the FTC's existing authority.
Second, the court rejected Wyndham's claim that the "FTC must formally promulgate regulations before bringing an unfairness claim" so that businesses have fair notice of what they must do in order to avoid an unfairness complaint. In rejecting this assertion, the court noted that agencies can regulate through general rulemaking or individual adjudication, and that businesses can look to recent FTC consent agreements and public releases on data security for guidelines on appropriate security measures.
Finally, the court rejected Wyndham's claim that the FTC was without authority to assert a claim against Wyndham because the data breaches did not cause consumers "substantial injur[ies]" that were not "reasonably avoidable," which is required by the Act as a prerequisite to the FTC's enforcement authority. The court explained that whether consumers suffered financial injuries that were not reasonably avoidable was a factual inquiry that could not be resolved in a motion to dismiss. Although the court left open the possibility that the FTC's enforcement action ultimately may fail should discovery reveal that consumers did not actually suffer a substantial injury, the court effectively reaffirmed the FTC's asserted authority to regulate data security practices.
Given the increased scrutiny of privacy and data security practices that has arisen following recent, highly publicized data breaches suffered by large retailers, the court's decision may very well embolden the FTC to become even more active in regulating data security practices across numerous industries, many of which lack formal regulations or guidelines. Companies subject to FTC enforcement jurisdiction should therefore review their privacy and data security policies and implement industry-standard practices in order to mitigate potential FTC enforcement actions premised on deceptive or unfair practice claims.