For more than a decade, the Federal Trade Commission (“FTC”) has investigated companies for maintaining what the FTC believes are unreasonable data security safeguards. Given the legislative and regulatory void that exists concerning data privacy standards, the FTC has proceeded under its authority under the FTC Act to address “unfair” or “deceptive” business practices. The FTC’s reach has been broad, reviewing not only cases of actual data breaches involving the theft or unauthorized disclosure of customers’ personal information, but circumstances where the agency believes there may be deficiencies in a company’s data and information security systems that create a risk of potential future consumer harm. In recent enforcement actions, the FTC has reached beyond traditional concepts of “deceptive” commercial practices and has begun to challenge a broader category of allegedly “unfair” security practices that may involve no false or misleading marketing statements or failure to follow published data privacy policies.

The FTC’s power was recently challenged after the Commission brought a lawsuit against Wyndham Hotels for alleged inadequate data security measures. Yet, in a recent opinion, a federal district judge confirmed the federal agency’s authority, thereby enabling the FTC to hold companies responsible for lax security practices even in the absence of any clear guidelines for those companies to follow.

This ruling has implications for companies involved in providing financial services and products to consumers. In addition to the clear instruction for the need to adopt appropriate privacy and data security standards, the ruling provides insights into the judicial deference to agency power, which has implications for the ways in which the FTC’s newest federal counterpart--the CFPB--can proceed.

Lawsuit Against Wyndam by FTC

On June 26, 2012, the FTC filed action against Wyndham. The FTC alleged that the companies engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at independently-owned Wyndham- branded hotels with which the Defendants maintained franchise agreements.

The complaint alleged that the Defendants’ failure to implement reasonable and appropriate data security safeguards at the franchisee locations allowed computer hackers to breach franchisee computer systems and the Wyndham hotel data center on three separate occasions within a two year period. The hackers were able to gain access to the financial account information for more than 600,000 hotel customers. The FTC’s complaint also claims that Wyndham’s privacy policy misrepresented the extent to which the company protected consumers’ personal information. The complaint sought injunctive relief to prevent future violations of the FTC Act, as well as monetary relief for the affected hotel customers.

Motion to Dismiss by Wyndam

In April 2013, Wyndham filed a motion seeking to dismiss the FTC’s complaint on four grounds. First, Wyndham challenged the FTC’s authority to assert an unfairness claim in the data-security context. Second, Wyndham asserted that the FTC must formally promulgate rules or regulations before bringing an unfairness claim, and by failing to do so, the FTC is violating fair notice or due process principles. Third, Wyndham argued that the FTC’s allegations are plead insufficiently to support either an unfairness or deception claim. Finally, Wyndham challenged the FTC’s deception claim that Wyndham’s privacy policy misrepresented measures taken by the company to protect consumers’ personal information.

Ruling in Favor of FTC

On April 7, 2014, the court issued its decision denying Wyndham’s motion to dismiss, and finding for the FTC on all grounds. FTC v. Wyndham Worldwide Corporation, et al., No. 13-1887 (D.N.J., Apr. 7, 2014).

In challenging the FTC’s authority to assert an unfairness claim in the data-security context, Wyndham argued that Congress has passed narrowly tailored data security legislation, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act, that the legislative environment does not give the FTC authority to establish data security standards for the private sector under Section 5. The court disagreed, stating that the FTC’s unfairness authority over data security can coexist with the existing regulatory scheme. In addition, the court found that data-security legislation proposed by Congress does not give rise to a data- security exemption from the FTC’s unfairness authority.

In addition, Wyndham argued that the FTC would violate basic principles of fair notice and due process without promulgating rules, regulations, or guidelines explaining what data-security practices the Commission believes is required under Section 5. Wyndham argued that the FTC’s prior consent decrees and its business guidance provide no such concrete guidance. The court, however, rejected these arguments, noting that previous Circuit Courts of Appeal have affirmed FTC unfairness actions in a variety of contexts without articulating preexisting rules or regulations. The court also instructed that the FTC’s rulings, interpretations and opinions provide a body of precedent which provides meaningful guidance.

The court also concluded that FTC’s complaint sufficiently plead an unfairness claim. The court stated that the allegations infer that Wyndham’s data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.

In challenging the FTC’s deception claim, Wyndham argued that its privacy policy specifically excludes Wyndham-branded hotels from the policy’s data- security representations. In rejecting this argument,  the court concluded that a reasonable customer would have understood that the policy makes statements about data-security practices for both Wyndham and Wyndham-branded hotels and held that the deception claim was sufficiently plead, focusing on the specific language found in Wyndham’s privacy policy.

What this means for companies in the financial services industry

Privacy and data security implications

Whether regulated by the FTC, the CFPB, or both, companies that provide financial services and products to consumers must continue to not only adhere to the legal requirements involving privacy and data security that relate specifically to the financial industry (such as the Gramm Leach Bliley Act and the FTC Safeguards Rule) but pay close attention to the FTC precedent and enforcement actions. A cursory review of CFPB Guidance demonstrates that the CFPB adopts FTC precedent and the Commission’s understanding of its “deception” and “unfairness” authority. And, of course, state attorneys general ride on the coattails of FTC enforcement actions and initiatives.

Therefore, it is prudent for companies to examine carefully the consent decrees in FTC privacy enforcement actions to understand the government’s expectations about compliance when it comes to privacy and data security. In the FTC’s settlement with  Facebook approved in 2012, for example, Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days after the settlement, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

Subsequent to that settlement, public statements by FTC officials make it clear that they expect all companies to have similar practices and procedures in place so that privacy and data security is “baked into” a company’s core business practices.

Likewise, it is prudent for companies to have data breach plans in place to minimize not only legal but public relations and reputational risks. As several recent media events have illustrated, such events can trigger governmental investigations as well as class action litigation and shake consumer confidence in the brand itself.

Implications for judicial understanding of the power of the CFPB

Many trade associations serving the interests of the financial services industry, company representatives, and business advocates have expressed concerns not only about the lack of guidance and clarity about what constitutes “abusive” or “unfair” or “deceptive” acts or practices in the eyes of the CFPB, but the way in which enforcement actions substitute rulemaking as providing industry guidance and instruction. The Wyndham decision, however, provides insights into the deference courts can give to agency power.

Specifically, in its motion to dismiss, Wyndham argued that the FTC must promulgate rules and regulations  to satisfy fair notice and due process principles. As directly noted by the court, Wyndham made two key arguments: (1) “it would violate basic principles of fair notice and due process to hold [Wyndham] liable in this case without rules, regulations, or other guidelines explaining what data-security practices the Commission believes Section 5 to forbid or require;” and (2) “[A]gencies cannot rely on enforcement actions to make new rules and concurrently hold a party liable for violating the new rule. . . . [C]onsent decrees cannot provide any meaningful notice to third parties.”

In rejecting these arguments, the court bluntly asserted that it “is unpersuaded that regulations are the only means of providing sufficient fair notice.” (Emphasis in original). The court cited to decisions by federal appellate courts which “have affirmed FTC unfairness actions in a variety of contexts without preexisting  rules or regulations specifically addressing the conduct-at-issue” (emphasis in original), and instructed that unfairness “is necessarily “flexible” such that the FTC can apply Section 5 to the facts of particular cases arising out of unprecedented situations.”

It is certainly not a stretch to replace the Dodd-Frank Act with Section 5 in this analysis to enable a court to bless the current movement by the CFPB. While this argument will undoubtedly continue, the Wyndham decision gives us a glimpse into how some courts may analyze the issues.