In a closely watched dispute over the Federal Trade Commission’s (FTC) power to regulate data security, a New Jersey federal court judge agreed with the agency that it can pursue its case against the Wyndham Hotel chain for lax security.
Businesses across the country have followed Wyndham’s challenge to the FTC’s authority. U.S. District Judge Esther Salas’ decision confirms that the agency can use its powers under Section 5 of the Federal Trade Commission Act to bring actions alleging that defendants engaged in unfair practices by failing to live up to data security promises.
Wyndham responded with a motion to dismiss (click here to read our previous newsletter) with three arguments: a direct challenge to the FTC’s authority to assert an unfairness claim in the data security context, an assertion that the agency violated fair notice principles by not first promulgating regulations before bringing such a claim and, finally, that the FTC’s allegations were not sufficiently pleaded.
In an opinion that emphasized the “rapidly evolving” digital age “in which maintaining privacy, is, perhaps, an ongoing struggle,” the court refused “to carve out a data security exception” to the FTC’s authority.
Wyndham pointed out that several statutes specifically authorize data security authority with regard to particular areas—including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act—which infers that the FTC does not have general power to regulate data security, because the statutes would otherwise be superfluous. Pending legislation that would grant specific jurisdiction over data security to the agency further supported its argument, Wyndham told the court.
But Judge Salas disagreed, ruling that Congress granted the agency broad authority under Section 5 of the FTC Act and the subsequent data security legislation “seems to complement—not preclude—the FTC’s authority.” The identified statutes “each set forth different standards for injury in certain delineated circumstances, granting the FTC additional enforcement tools,” she wrote.
Comments made by various members of the FTC seeking additional regulatory powers in the data security ecosystem (such as a statement that “the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their websites, or portions of their websites, not directed to children”) did not convince Judge Salas that the agency had explicitly disclaimed data security authority.
The court also rejected Wyndham’s argument that the agency needed to first promulgate regulations before bringing enforcement actions or companies would have no guidance as to what could be actionable in the data security context. Because the FTC needs flexibility to adjust its actions to a range of industries and constantly changing technology, the court said formally published rules are not required.
Agencies in other circumstances bring enforcement actions without guidance, Judge Salas noted, using the National Labor Relations Board and the Occupational Safety and Health Administration as examples.
“[T]he contour of an unfairness claim in the data security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases rising out of unprecedented situations,’” the court wrote. “Moreover, the court must consider the untenable consequence of accepting [Wyndham’s] proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”
Accepting Wyndham’s position would otherwise lead “to the following incongruous result: [Wyndham] can explicitly represent to the public that it ‘safeguard[s]…personally identifiable information by using industry standard practices’ and makes ‘commercially reasonably efforts’ to make collection of data ‘consistent with all applicable laws and regulations’—but that, as a matter of law, the FTC cannot even file a complaint in federal court challenging such representations without first issuing regulations,” Judge Salas said.
The FTC’s complaint otherwise satisfied pleading requirements, the court determined, denying Wyndham’s motion to dismiss.
The court added that it was not rendering a decision on liability and “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
To read the opinion in FTC v. Wyndham Worldwide Corporation, click here.
Why it matters: Judge Salas’ decision upholding the FTC’s authority to regulate data security practices puts businesses on notice that their privacy policies and procedures are fair game for agency oversight. Some uncertainty does remain, however—as pointed out by Wyndham, without existing guidance from the FTC as to what constitutes unfair practices, companies must use their own judgment to avoid an agency action.