The FTC’s Claim
A New Jersey federal judge has confirmed the Federal Trade Commission’s (“FTC”) authority to regulate data security and bring claims against companies suffering data breaches due to inadequate cybersecurity safeguards, at least for now. In FTC v. Wyndham Worldwide Corp., et al., No. 13-1887 (D.N.J), the FTC brought a claim against Wyndham Worldwide Corporation (“Wyndham”) relating to alleged “data security failures that led to three data breaches at Wyndham hotels in less than two years.” The FTC claimed that Wyndham violated Section 5(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” by failing to (a) comply with its customer-facing privacy policies, and (b) maintain adequate data security standards.
Wyndham Fires Back
In response, Wyndham filed a motion to dismiss the FTC’s claim, and argued that the FTC lacked the authority under Section 5(a) to bring an unfairness claim relating to data security standards by private companies. Wyndham further asserted that the FTC cannot punish companies under the FTC’s broad “unfairness” authority without formal regulations that provide companies with “fair notice” regarding what constitutes “reasonable” data security practices. Finally, Wyndham alleged that the FTC’s jurisdiction was limited in the area of data security because Congress has not provided the FTC with specific power to regulate data security standards as Congress has done in other data security and consumer privacy areas such as the Fair Credit Reporting Act (“FCRA”), the Gramm- Leach-Bliley Act (“GLBA”) and the Children’s Online Privacy Protection Act (“COPPA”).
FTC Authority Is Confirmed
Despite Wyndham’s best attempts at rebutting the FTC’s authority, Judge Esther Salas rejected all of Wyndham’s arguments, denied Wyndham’s motion to dismiss, and affirmed the FTC’s jurisdiction to regulate data security standards under its “unfairness” authority. The Court rejected Wyndham’s assertion that Congress’s failure to grant specific FTC authority in the area of data security standards somehow precludes the FTC from regulating this area. On the contrary, the Court reasoned that the FCRA, GLBA and COPPA are additional enforcement tools in those specified areas, and do not purport to limit the FTC’s general authority to regulate unfair and deceptive acts or practices, including in the area of data security.
The Court further rejected Wyndham’s claims that the “fair notice” requirement prohibits the FTC from regulating data security standards without first enacting regulations to establish specific data security standards. Relying on a long list of precedent in which FTC unfairness actions have been affirmed without preexisting rules or regulation specifically addressing the conduct at issue, the Court reasoned “that the FTC does not necessarily need to formally publish rules and regulations since the proscriptions in Section 5 are necessarily flexible.” The Court determined that Section 5’s three-part test, coupled with the FTC’s many public complaints and consent agreements, provides sufficient fair notice to companies concerning what constitutes the FTC’s standard for asserting an unfairness claim.
The FTC is not quite out of the woods yet, as Judge Salas pointed out that a “liability determination is for another day.” She also attempted to minimize the precedential impact of the holding by noting that the “decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
Even still, with this Court’s holding in its back pocket, the FTC will have even greater fire power when bringing cases under the “unfairness” standard and in negotiating cybersecurity claim settlements with defendants because there will be little question whether the FTC has authority to bring such an action. What’s more, this holding may reduce the likelihood that Congress will enact further regulations to provide the FTC with more explicit or specific authority to regulate data security standards. Alternatively, if the Court had instead granted Wyndham’s motion, Congress may very well have been prompted to enact legislation affirming the FTC’s specific authority in these cases to avoid leaving a gap in the regulation of data security standards.
Although, for the time being, the Court has decided an important question concerning FTC authority, Judge Salas recognized that the current data security climate will undoubtedly raise “a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.” In any event, as the recent major data breaches suffered by Target Corporation and Neiman Marcus make clear, data breaches and the need for cybersecurity standards and regulation are not going away any time soon, and, at least until Wyndham files its appeal, the FTC’s authority on the subject is no longer in dispute.