The Federal Trade Commission won a major victory this week, affirming that the agency’s jurisdiction over “deceptive” and “unfair” business practices empowers it to enforce minimum data security standards. In a long-awaited decision, on April 7, 2014 the Honorable Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham Worldwide Corp.’s motion to dismiss the FTC’s complaint, which alleged that Wyndham had failed to maintain “reasonable and appropriate” security for its customer data. Wyndham sought to dismiss the action, alleging that the FTC lacks authority to regulate data security and that the supposed standards it sought to enforce were impermissibly vague. Judge Salas rejected each of Wyndham’s arguments, agreeing with the FTC that failure to employ adequate data security measures is an unfair and deceptive trade practice.
Despite the FTC’s significant victory in the Wyndham case, the precise scope of the agency’s authority to regulate data security standards remains unsettled. The Wyndham court specifically noted that the FTC does not have “a blank check to sustain a lawsuit against every business that has been hacked,” and the measures necessary to meet a “reasonable” standard of security remain undefined. Notwithstanding these uncertainties, the FTC is widely expected to increase its enforcement activity in connection with data breaches now that its authority to do so has been upheld. In this context, companies that collect, store, or use consumer data are advised to review their data security practices against industry standards and proactively address any deficiencies they find. In addition, pre-breach crisis planning is important to insure that any breaches that do occur are resolved swiftly and appropriately.