A U.S. District Court has ruled this week that the Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to bring enforcement litigation against companies whose data security practices are deemed to be “unfair” or “deceptive.” The ruling does not require the FTC to issue any standards or guidelines as to what data security practices are sufficient in the eyes of the FTC. The ruling is likely to lead to an increase in FTC enforcement actions and private litigation.
For more than a decade, the FTC has targeted companies for maintaining what the FTC believes are unreasonable data security safeguards. Because there is currently no federal law, regulation, or agency guidance that spells out the data privacy standards that all companies operating in the U.S. must satisfy, the FTC has proceeded under its general authority to address “unfair” or “deceptive” business practices. The FTC has stepped in not only in cases of actual data breaches involving the theft or unauthorized disclosure of customers’ personal data, but also in circumstances where the FTC believes there may be deficiencies in a company’s data security systems that create a risk of potential future consumer harm.
In recent enforcement actions, the FTC has reached beyond traditional concepts of “deceptive” commercial practices and has begun to challenge a broader category of allegedly “unfair” security practices that may involve no false or misleading marketing statements or failure to follow published data privacy policies. In one recent example, the FTC has complained about a company’s failure to require regular password updates, an omission that the FTC views as commercially “unreasonable.” For such asserted failings, the FTC has sought significant concessions from companies, such as implementation of a comprehensive information security program and a commitment to regular audits over the course of twenty years.
The FTC’s authority to take action against allegedly “unfair” or “unreasonable” data security practices, in addition to “deceptive” practices, met its first serious challenge in a recent case in federal district court in New Jersey. On April 7, 2014, the U.S. District Court for the District of New Jersey upheld the FTC’s far reaching authority over the reasonableness of data security practices and rejected a challenge to such authority raised by Wyndham. The court affirmed the FTC’s enforcement authority despite the absence of any articulated standards and despite the existence of multiple sector-specific data security statutes and regulations enforced by other agencies.
The FTC’s views on the reasonableness of data security practices may have a significant impact going forward on companies that maintain consumer data. These views will be expressed by the FTC not through notice-and-comment rule-making and application of clear regulations but rather through consent orders, speeches by FTC leadership, and public workshops.
The U.S. district court did not reach any decision on the merits as to whether the defendants, Wyndham and related parties, are liable for unreasonable or deceptive practices. Rather the court denied a motion to dismiss on the pleadings, forcing Wyndham to settle or continue to litigate against the FTC. This precedent will give the FTC greater leverage over companies under investigation and an enhanced ability to force companies to undergo expensive litigation over the reasonableness of their data security practices.
The FTC’s Allegations Against Wyndham
In a series of attacks between 2008 and 2010, hackers gained access to Wyndham’s computer network and into the separate computer networks of several independently-owned, Wyndham-branded hotels. From there, the attackers may have accessed credit card information the independent hotel owners collected from their guests. The responsible individuals, allegedly Russian cyber criminals, have not been caught.
In 2012, the FTC initiated a lawsuit against Wyndham. The FTC contended that Wyndham had failed to reasonably secure their computer network, and that this failure constituted an unfair or deceptive practice under Section 5(a) of the FTC Act, 15 U.S.C. § 45. The FTC’s case included a typical deceptive practices claim -- that Wyndham disseminated misleading privacy statements indicating that customer information would be reasonably secured. In addition to the deceptive practices claim, however, the FTC took the stance of alleging that Wyndham’s failure to employ certain security practices itself warranted sanction under Section 5 as an unfair trade practice.
The FTC’s unfair trade practices claim highlighted a range of specific data security measures that the FTC alleges Wyndham did not employ. Wyndham’s alleged failures included, for example, storing payment information in clear text and failing to employ firewalls. The FTC argued that in addition to conflicting with the company’s privacy statements, Wyndham’s deficient security practices were likely to cause substantial injury to consumers that consumers could not reasonably avoid themselves, and that the lax security provided no countervailing benefit to consumers. The FTC attributed the hackers’ ability to access Wyndham computer networks to these “unfair” security lapses.
Wyndham’s Attack on the FTC’s Statutory Authority
Wyndham moved to dismiss both claims. It characterized the FTC’s lawsuit as an unprecedented attempt to stretch a broadly worded, century-old statute to provide authority to regulate sophisticated technologies not contemplated by its drafters or even by current members of Congress. Wyndham argued that the unfairness claim must be dismissed either because the FTC’s authority under Section 5 does not extend to data security or, alternatively, because the FTC did not provide fair notice of what Section 5 would require.
First, Wyndham argued that the broad, general language of Section 5, prohibiting “unfair . . . acts or practices,” does not give the FTC authority to prescribe specific data security standards to apply across all industries. Congress has approved an array of statutes setting specific data-security standards for individual sectors, belying a reading of Section 5 that would provide the FTC more general authority. Meanwhile, multiple efforts to pass a comprehensive data-security law have failed in Congress. Thus, Wyndham accused the FTC of seeking to sidestep the political process in order to claim authority not provided by any current law.
Second, Wyndham argued that even if the current FTC Act provides authority over data-security standards, enforcement of a vague unfairness standard in the absence of concrete data security rules violated its due process rights. Wyndham observed that the FTC has not published regulations or guidelines instructing companies what specific data safeguards Section 5 requires. Without providing fair notice defining which security practices would be considered ‘unfair,’ the FTC should not punish companies for failing to comply.
The FTC’s Response
The FTC defended its authority to bring enforcement actions alleging unfair data security practices, by arguing that Section 5 is a flexible provision capable of addressing changing business norms and that Wyndham and other companies are well aware of what it requires.
The FTC first argued that Section 5 is designed to respond flexibly to changing business practices and over the years has addressed other unfair practices that use new technologies, such as telephone billing and online check drafting. Data security is no different from those other new technologies. In addition, the FTC maintained that no contradiction exists between its broad authority under Section 5 and sector-specific laws enhancing its authority within particular industries. Finally, the FTC disputed the idea that Congress’s inability to pass a comprehensive data security law stripped its authority over unfair data practices, noting that several recent bills explicitly recognized its existing authority over data security.
Second, the FTC contended that Wyndham and other businesses already have fair notice of what constitutes ‘unfair’ data security practices: “unreasonable data security practices are unfair.” The FTC pointed to government and industry sources as providing further clarity regarding reasonable data security, highlighting voluntary industry standards, such as those published by the National Institute of Standards and Technology (NIST), and consent orders entered in recent data security enforcement actions. Ultimately, the FTC defended its ability to define unfairness case-by-case through individual enforcement actions, and it argued that such an approach simplified efforts to fight cybercrime and provided flexibility in an area of constant change.
Practical Impact of the Decision
U.S. District Judge Esther Salas denied Wyndham’s motion to dismiss, ruling that the FTC had adequately stated claims that Wyndham engaged in both unfair and deceptive practices by failing to maintain reasonable data security that would protect consumers’ personal information from unauthorized access.
Unfairness. The court ruled that the FTC’s complaint adequately stated a claim that Wyndham’s data security practices were “unfair.” In so ruling, it confirmed that the FTC has the authority to regulate unfair data security practices and that the FTC may develop data security standards through case-by-case adjudication, a process that serves to complement the sector-specific data security laws and regulations that have been enacted.
In light of the Wyndham decision, the FTC will continue to challenge data security practices that it views as unreasonable, without providing a comprehensive set of requirements that companies may safely follow. Companies should look to the patchwork of FTC views expressed in consent orders, speeches by FTC leadership, and public workshops, as well as industry publications, to identify prudent security measures.
Permissive Pleading Standards. In more than one instance, the court declined Wyndham’s invitation to hold the FTC to strict pleading standards. With respect to the “unfairness” claim, the court rejected Wyndham’s argument that the FTC could not allege facts establishing substantial consumer injury. Wyndham emphasized that federal law limits consumer liability for the unauthorized use of a payment card to $50. And indeed, in practice, none of the major credit card companies charge consumers even this minimal amount when their payment information is compromised. Nevertheless, the Court ruled that the FTC’s general allegations -- that at least some consumers suffered an unreimbursed financial injury -- sufficed to survive a motion to dismiss. With respect to the “deception” claim, the court rejected Wyndham’s contention that Rule 9(b) heightened pleading standards should apply. The practical effect of these rulings may extend past FTC enforcement actions and into private litigation. In particular, the decision may further embolden plaintiffs bringing cases under state law based on unfair or deceptive trade practices.
The court emphasized that the Wyndham decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Nevertheless, the decision further cements FTC authority over data security, as it allows the FTC to hold companies responsible for lax security practices in the absence of any clear guidelines for those companies to follow. Companies should continue to insist that the FTC articulate clear standards identifying practices that are unlawful versus merely imperfect.