In FTC v. Wyndham Worldwide Corp., No 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014)—a case closely watched by privacy and data security professionals across the United States—a federal district court held that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act")[1] to regulate data security practices and to bring enforcement actions targeting those practices deemed insufficient.[2]Notwithstanding any appeal in the case, the FTC's increasingly active role of late in regulating data security practices and the federal district court's decision in Wyndham means that businesses should assess and, where appropriate, implement security measures that meet industry standards. Businesses should also review existing privacy policies in order to ensure consistency with actual practices. 

Section 5 of the Act prohibits "unfair or deceptive acts or practices in or affecting commerce."[3] To date, the FTC has initiated over 50 enforcement actions under Section 5 of the Act that relate to a company's data security practices, and has variably relied on the deceptive or unfair practice prongs of the Act, or a combination of the two.[4] Under a deceptive practices theory, the FTC has alleged that a company, through its privacy policy or other similar statements, misrepresented its data security practices by overstating the protective measures in place to safeguard consumer data.[5] Under an unfair practices theory, the FTC has pursued companies that have failed "to employ reasonable and appropriate security measures to protect personal information and files."[6] Prompted by three data breaches suffered by Wyndham from mid-2008 through the end of 2009, the FTC filed a complaint in June 2012 alleging that Wyndham had violated both prongs of the Act. 

In its complaint, the FTC alleged that Wyndham violated the deceptive practices prong of the Act by misrepresenting in its online privacy policy that it "had implemented reasonable and appropriate measures to protect personal information against unauthorized access" when, in reality, it had not.[7] The FTC further alleged that Wyndham violated the unfair practices prong of the Act by failing "in numerous instances . . . to employ reasonable and appropriate measures to protect personal information against unauthorized access," in that Wyndham "failed to employ commonly used methods to require user IDs and passwords that are difficult for hackers to guess," "failed to adequately inventory computers connected to [its] network," and "failed to use readily available security measures [such as firewalls] to limit access between and among" its various computer systems.[8] Rather than settling these charges by agreeing to a Consent Agreement with the FTC, as other businesses commonly do, Wyndham challenged the FTC's authority under the Act to regulate data security practices. In an order denying Wyndham's motion to dismiss the FTC's action, however, the court rejected Wyndham's challenge and affirmed the FTC's authority. 

First, the court rejected Wyndham's claim that given the "recent data-security legislation and the FTC's public statements," it is clear that the FTC does not have the power to "assert an unfairness claim in the data-security context."[9] The court explained that recent legislation is not clearly incompatible with the notion that the FTC has existing authority to regulate data security.[10] Rather, the court explained that the new legislation supplements the FTC's existing authority.[11] 

Second, the court rejected Wyndham's claim that the "FTC must formally promulgate regulations before bringing an unfairness claim" so that businesses have fair notice of what they must do in order to avoid an unfairness complaint.[12] In rejecting this assertion, the court noted that agencies can regulate through general rulemaking or individual adjudication, and that businesses can look to recent FTC consent agreements and public releases on data security for guidelines on appropriate security measures.[13] 

Finally, the court rejected Wyndham's claim that the FTC was without authority to assert a claim against Wyndham because the data breaches did not cause consumers "substantial injur[ies]" that were not "reasonably avoidable," which is required by the Act as a prerequisite to the FTC's enforcement authority.[14] The court explained that whether consumers suffered financial injuries that were not reasonably avoidable was a factual inquiry that could not be resolved in a motion to dismiss.[15] Although the court left open the possibility that the FTC's enforcement action ultimately may fail should discovery reveal that consumers did not actually suffer a substantial injury, the court effectively reaffirmed the FTC's asserted authority to regulate data security practices. 

Given the increased scrutiny of privacy and data security practices that has arisen following recent, highly publicized data breaches suffered by large retailers, the court's decision may very well embolden the FTC to become even more active in regulating data security practices across numerous industries, many of which lack formal regulations or guidelines. Companies subject to FTC enforcement jurisdiction should therefore review their privacy and data security policies and implement industry-standard practices in order to mitigate potential FTC enforcement actions premised on deceptive or unfair practice claims.