In a closely watched case of first impression, New Jersey federal judge Esther Salas has issued a ruling sustaining the FTC’s enforcement complaint alleging Wyndham Hotels Group violated both the deception and the unfairness prongs of Section 5(a) (15 U.S.C. § 45(a))* in connection with its alleged “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” According to the complaint, the hotel chain allegedly suffered data breaches by criminal intruders who, on three separate occasions, gained access to sensitive consumer information stored on the hotel chain’s computer network, including payment card account numbers, expiration dates, and security codes. The FTC alleges Wyndham violated Section 5(a) “by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

In denying Wyndham’s motion to dismiss, Judge Salas rejected each of its arguments that the FTC lacks authority to bring an unfairness claim involving data security, that the FTC failed to satisfy fair notice principles because it did not issue any regulations concerning data security before bringing its unfairness claim, and that the FTC’s allegations do not adequately allege an unfairness or deception claim under Section 5. Though Judge Salas warned the decision was not a finding of liability—it only resolved a motion to dismiss—it is nonetheless significant because it represents the first time an Article III court has sustained a FTC complaint concerning data security based on the FTC’s unfairness authority.

In her decision, Judge Salas first addressed Wyndham’s contention that the FTC’s unfairness authority did not cover data security. Identifying various statutes that reportedly authorize “particular federal agencies to establish minimum data-security standards in narrow sectors of the economy” (including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act of 1996), Wyndham argued that none of these statutes gave the FTC the authority to regulate data security under Section 5. In fact, Wyndham argued, under pending legislation, the FTC was seeking from Congress the authority it asserted in the case against Wyndham, and therefore, the fair implication was that existing legislation did not provide the FTC with authority for its action. Rejecting this argument, Judge Salas said that none of these statutes reflected an intent by Congress to preclude the FTC from exercising its unfairness authority in enforcement actions involving data security. According to Judge Salas, these statutes seem to “complement—not preclude—the FTC’s authority,” and the FTC’s unfairness authority over data security “can coexist with the existing data-security regulatory scheme.” Judge Salas also was “not convinced” that various FTC statements cited by Wyndham amounted to FTC concessions it had “no authority to bring any unfairness claim involving data security.”

Next, Judge Salas rejected Wyndham’s argument that fair notice required the FTC to formally issue rules and regulations concerning required or forbidden data security practices before it can file an unfairness claim in federal district court. According to Judge Salas, accepting this argument would require her to ignore long-standing precedent which said the opposite – i.e., “that the FTC does not necessarily need to formally publish rules and regulations since the proscriptions in Section 5 are necessarily flexible.” Judge Salas thus appeared to agree with the FTC’s argument that the reasonableness of Wyndham’s data-security program could be viewed in light of: (1) industry guidance sources that Wyndham itself seemed to measure its own data-security practices against; and (2) the FTC’s Business Guidance Procedure and consent orders from previous FTC enforcement actions.

Finally, Judge Salas rejected Wyndham’s argument that the FTC had failed to allege substantial, unavoidable consumer injury and otherwise failed to satisfy federal pleading requirements. As to Wyndham’s contention that consumer injury from theft of payment card data is “never substantial and always avoidable” (because federal law limits consumer liability to $50.00 and all major credit card brands waive liability even for this amount), she stated the “FTC here alleges that at least some consumers suffered financial injury that included ‘unreimbursed financial injury’ and, drawing inferences in favor of the FTC, the alleged injury to consumers is substantial.” She also found that the FTC had alleged misuse by the intruders who stole the consumer data and that the FTC’s allegations “permit the Court to reasonably infer that [Wyndham’s] data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.” For example, she noted, the FTC alleged Wyndham failed to employ commonly-used methods to acquire user IDs and passwords that are difficult for hackers to guess; did not require the use of complex passwords for access to Wyndham’s systems; and failed to adequately inventory computers connected to the network so it could manage the devices, among other alleged failures.

Notably, Judge Salas emphasized her ruling was not a final finding of liability but only resolved a motion to dismiss, as to which she was required to accept as true the FTC’s factual allegations. Indeed, she warned, her decision “did not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Instead, “the Court denies a motion to dismiss given the allegations in this complaint—which must be taken as true at this stage—in view of binding and persuasive precedent.” The decision is, nonetheless, significant because it represents the first time the FTC has had sustained a lawsuit against a defendant concerning a data breach based on the FTC’s unfairness authority instead of its “deception” authority – i.e., based on an allegation that defendant failed to maintain the level of data security it claimed to provide to consumers. The case will continue to merit close scrutiny by those who follow the regulatory oversight of data security and privacy.