The Federal Trade Commission won a major victory this week, affirming that the agency’s jurisdiction over “deceptive” and “unfair” business practices empowers it to enforce minimum data security standards. In a long-awaited decision, on April 7, 2014 the Honorable Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham Worldwide Corp.’s motion to dismiss the FTC’s complaint, which alleged that Wyndham had failed to maintain “reasonable and appropriate” security for its customer data. Wyndham sought to dismiss the action, alleging that the FTC lacks authority to regulate data security and that the supposed standards it sought to enforce were impermissibly vague.  Judge Salas rejected each of Wyndham’s arguments, agreeing with the FTC that failure to employ adequate data security measures is an unfair and deceptive trade practice.

The FTC’s action against Wyndham is based on a series of data breaches that occurred between 2008 and 2010, in which hackers gained access to Wyndham’s computer network and accessed personal information, including customers’ payment card account numbers. The stolen data was then used to make fraudulent charges of over $10 million. The FTC brought an action against Wyndham under Section 5(a) of the FTC Act, which prohibits “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” Specifically, the FTC alleged that Wyndham deceptively claimed in their online privacy policy that they implemented reasonable and appropriate protective measures. The Court rejected all of Wyndham’s arguments supporting its motion to dismiss the FTC’s action. First, the Court ruled that Section 5 of the FTC Act allowed the FTC to regulate data security. The Court found that, despite congressional delegation of data security regulatory authority to other agencies, “the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” Second, the Court found that the FTC did not necessarily have to issue regulations before bringing an unfairness action because the standards in Section 5 “are flexible, to be defined with particularity by the myriad of cases from the field of business.” Finally, the Court found that the FTC had sufficiently alleged how Wyndham’s data security practices were unfair and deceptive.

Despite the FTC’s significant victory in the Wyndham case, the precise scope of the agency’s authority to regulate data security standards remains unsettled. The Wyndham court specifically noted that the FTC does not have “a blank check to sustain a lawsuit against every business that has been hacked,” and the measures necessary to meet a “reasonable” standard of security remain undefined. Notwithstanding these uncertainties, the FTC is widely expected to increase its enforcement activity in connection with data breaches now that its authority to do so has been upheld. In this context, companies that collect, store, or use consumer data are advised to review their data security practices against industry standards and proactively address any deficiencies they find. In addition, pre-breach crisis planning is important to insure that any breaches that do occur are resolved swiftly and appropriately.