In Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s request for dismissal of the FTC’s lawsuit against the hotel resort chain as a result of getting hacked.* Wyndham had challenged the FTC’s power to assert an unfairness claim under Section 5 of the FTC Act. Although the Court’s ruling focused solely on the FTC’s authority to bring the lawsuit, and offered no opinion on the underlying merits of the allegations, the ruling could have broad ramifications on the FTC’s ability to pursue companies for unfair and deceptive trade practices when a data breach occurs.

This dispute began in June 2012 when the FTC filed a complaint against Wyndham alleging that the hotel chain’s “failure to implement reasonable and appropriate security measures exposed consumers’ personal information” in a manner that violated both the unfairness and deception prongs of Section 5 of the FTC Act. The FTC alleged that the security failures resulted in three data breaches between April 2008 and January 2010 – exposing more than 600,000 consumer payment card account numbers and leading to more than $10.6 million in fraud loss.

Wyndham took the unusual step of challenging the FTC’s power to assert an unfairness claim, alleging that the FTC had overstepped its statutory authority by attempting to regulate private companies’ data security practices. Judge Salas disagreed and rejected Wyndham’s request to “carve out a data-security exception to the FTC’s authority.” Specifically, Judge Salas found that the unfairness prong of Section 5 of the FTC Act permitted the agency to regulate data security in the private sector, and that the FTC’s authority can coexist with the existing data-security regulatory scheme (specifically mentioning the FCRA, GLBA, and COPPA). 

Judge Salas also found that the FTC had provided fair notice of what constitutes reasonable data security standards, and that fair notice does not require the FTC to formally issue rules and regulations before it can pursue unfairness claims in federal district court. Pointing to the FTC’s many public complaints, consent agreements, public statements and business guidelines brochure, in addition to Wyndham’s own references in its privacy policy to “industry standard practices” and “commercially reasonable efforts,” the Court refused to dismiss for lack of fair notice. 

The FTC was found to have adequately pled a claim for not only unfairness, but also deception under Section 5. The complaint’s allegations permitted the Court to infer that Wyndham’s “data-security practices causedtheft of personal data, which ultimately caused substantial injury to consumers.” The Court found that the FTC did not simply assert a violation because a data loss event occurred, but rather it identified specific issues with Wyndham’s data security practices (lack of complex passwords, lack of firewalls and failure to adequately inventory computers on the network). Even under potentially applicable heightened pleadings standards, the FTC alleged a deception claim in light of the breach based on Wyndham’s representation to its customers that it safeguards their personally identifiable information by using “industry standard practices” and undertaking “commercially reasonable efforts” to collect personally identifiable information “consistent with all applicable laws and regulations.” 

This decision is important as it is the first time the FTC’s authority in the data breach context has been tested. The Court stressed, however, that the ruling on Wyndham’s dismissal bid was far from the last word on the matter. Judge Salas noted that “a liability determination is for another day” and advised the FTC to exercise discretion when pursuing additional enforcement actions. “This decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” she ruled. “Instead, the court denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage – in view of binding and persuasive precedent.” In the meantime, companies should become familiar with the various sources of information provided by the FTC (as listed by the Court and mentioned above) identifying reasonable data security standards, especially given that FTC actions in the data security context are likely to continue.