The Federal Trade Commission (FTC) has defeated a challenge to its authority to bring unfair and deceptive trade practices claims against businesses who have been the victims of a data breach under the FTC Act for inadequate data security measures.
On Monday, the District Court of New Jersey permitted the FTC to go forward on its claims that Wyndham violated Section 5(a) of the FTC Act, which prohibits business practices that are “unfair or deceptive.” The case concerns data breaches suffered by Wyndham in which consumer payment card account numbers were exposed. The ruling is a clear signal that the FTC may continue to take action against companies who the FTC believes failed to maintain reasonable and appropriate data security to protect consumers’ sensitive personal information from unauthorized disclosure.
Currently, there is no national, comprehensive data security legislation that applies to all businesses, although certain industries, including the financial and healthcare industries, are regulated under statutes specific to those industries. Accordingly, the FTC has brought claims against non-regulated industries for allegedly inadequate data security measures based on its authority under the FTC Act. Although the FTC’s enforcement in this area is nothing new, previous actions generally resulted in settlement between the hacked business and the FTC.
This case, however, challenged the FTC’s power to regulate data security under the FTC Act on multiple grounds in its motion to dismiss. First, Wyndham argued that Congress’ mandate to the FTC under other data security laws (FCRA, GLBA, HIPAA, COPPA) evidenced Congress’ intent that the FTC not regulate data security more generally under the FTC Act unfairness prong. The court chose not to carve out a data-security exception to the FTC’s unfairness authority. The court found the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme and noted that the FTC had regulated data security in the past.
Next, Wyndham alleged that the FTC’s failure to promulgate regulations identifying what constituted improper security practices violated fair notice principles. The court found that agencies have discretion whether to proceed between ad hoc litigation or regulation and that Section 5 provides
guidance through a three-part test to determine whether an act is “unfair.” Additionally, the rulings, interpretations, and opinions of the agency constitute a body of experience and informed judgment to which courts and litigants can resort for guidance.
Last, Wyndham argued that the FTC failed to plead sufficient consumer harm, and since federal law places a $50 limit on the amount of consumer liability for any unauthorized use of a payment card, any alleged injury cannot be substantial. The FTC argued that consumers had suffered financial injury, including unreimbursed fraudulent charges, increased costs, and lost access to funds or credit, as well as time and money spent resolving fraudulent charges and mitigating subsequent harm. Because the FTC’s allegations must be taken as true at the motion to dismiss stage, the court found that the FTC had sufficiently pled that Wyndham’s data security practices caused theft of personal data and that these security practices were the ultimate cause of substantial injury to consumers as required under the statute. Notably, the court declined to read a heightened pleading standard of “recklessness” or “egregiousness” into the statutorily defined “unfairness” standard.
The court made it clear that its decision was not on liability, but only a denial of a motion to dismiss based on the facts alleged in the FTC’s complaint. The court expressly stated that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
The case has been widely followed in the data security realm due to the far reaching implications of a possible court decision in favor of Wyndham. Although many businesses consider themselves an additional victim of a hacker’s illegal conduct, the court’s ruling confirms that the FTC will continue to have broad license to bring such claims and to attempt to hold businesses accountable for allegedly inadequate security measures. While the ruling appears to strike a blow to businesses, in reality, a finding that the FTC does not have enforcement authority would leave a void in this area, which would surely be filled by various state attorneys general or legislators.
This ruling means that the FTC can now prosecute companies who are the targets of data breaches, without needing to rely on its authority to regulate deceptive statements, and we can expect to see the FTC increase enforcement against companies who the FTC believes have insufficient data security procedures. For now, some questions remain open, such as what constitutes inadequate data security practices, and whether – despite the court’s admonition that its ruling would not open the door – the FTC will begin aggressively pursuing companies that have been the victims of data breaches. Given the lack of federal guidance in the area and the validation of the FTC’s authority in this area, it remains to be seen whether this ruling will reduce or increase pressure on Congress to pass comprehensive data breach legislation.