The Federal Trade Commission (the “FTC”) has filed its response to the Wyndham Hotel & Resorts LLC’s (“Wyndham”) Motion to Dismiss. More information about Wyndham’s Motion can be seen in an earlier blog post here.
In its response, the FTC rebuts Wyndham’s Motion and argues three main points:
- the FTC has authority to pursue unfair and deceptive practices claims related to data security;
- unfairness actions related to data security do not require rulemaking; and
- the injury resulting from a payment card breach is sufficient for FTC to pursue its claims.
As support for its first point, the FTC asserts that it has authority to pursue unfair practices claims related to data security under Section 5 of the FTC Act because “Congress purposefully delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changes economy.” The FTC further rejects Wyndham’s claim that the FTC disclaimed its authority over unfair practices related to data security in its FTC’s Report to Congress in 2000 (the “Report”). On the contrary, the FTC argues that Wyndham has mischaracterized the Report. Although the Report states that FTC authority under Section 5 is limited to unfair or deceptive practices, this would only prohibit FTC enforcement actions in situations when the failure to adopt certain policies occurred without unfair or deceptive practices.
In further support of its first point, the FTC asserts that other data security statutes do not limit the FTC’s authority under the FTC Act. The FTC points out that there is no contradiction between the various data security statutes and the FTC Act, and that those statutes only provide the FTC with greater authority in limited contexts. In addition, although Congress has repeatedly attempted to pass further data security regulation, these proposed bills were only meant to expand the FTC’s authority. For example, the FTC cites Senator Rockefeller’s question to an FTC representative with regard to a Senate bill for increase data security legislation: “Can you talk about how Senator Pryor’s and my bill will complement your existing enforcement efforts?”
For its second point, the FTC argues that it is not required to address data security through rulemaking, but rather may proceed through case-by-case enforcement. The FTC claims that the action against Wyndham is simply a standard application of its authority under Section 5 against an entity that failed to undertake reasonable measures to protect information that it collected about consumers.
In its final point, the FTC argues that the harm suffered by consumers is substantial. Although many of the fraudulent charges to consumer’s credit cards were reversed, the FTC cites the time, trouble and aggravation suffered by consumers in getting the charges reversed as substantial injury, as well as the lost access to funds or credit. The FTC argues that the unfairness provision of the FTC Act is designed to protect consumers from this very type of harm: a “small harm to a large number of people.”
Although it is difficult to imagine the court drastically limiting the FTC’s authority at this stage of the case, the FTC’s argument is not a slam dunk. With both sides raising some interesting and creative arguments, it will be interesting to see how this Motion is decided. Stay tuned.