Yesterday, the Third Circuit released a long-awaited decision, holding that the Federal Trade Commission (“FTC”) does have authority to regulate data privacy and security practices which fail to protect consumer data. The decision could impact many companies and other organizations which hold consumer data, by increasing the risk if they fail to adequately protect such data.
Background of Case. The FTC has broad authority under 15 USC Section 45(a) (commonly called “Section 5” of the FTC Act) to protect companies and consumers from “unfair or deceptive acts or practices.”
In 2008 and 2009 the hotel company Wyndham Worldwide Corporation experienced three separate hacking incidents, resulting in over 600,000 customers being affected. The FTC claimed that these incidents violated Section 5. Unlike most other companies, Wyndham challenged the FTC action, claiming that: (1) the FTC lacked authority under Section 5 to bring such a claim; and (2) the FTC had failed to provide adequate notice of what data protection practices were required to avoid “unfair” acts or practices by a business.
Decision Rejects Both Arguments. The Third Circuit rejected both of Wyndham’s arguments. First, the court held that the FTC’s authority to hold companies accountable for “unfair” acts or practices includes data security practices.
The court also held that Wyndham did have “fair notice” of the FTC’s requirements, even though there are no FTC regulations, and not a lot of FTC guidance, on how to protect this data. The court held that what guidance there was—along with the plain terms of Section 5—was sufficient to provide “fair notice” to Wyndham.
The court did not determine whether Wyndham’s practices constituted “unfair or deceptive acts or practices.” Absent an appeal, the case now returns to a lower court for a further determination (or settlement).