In a closely watched dispute over the Federal Trade Commission’s (FTC’s) power to regulate data security, a New Jersey federal court judge agreed with the agency that it can pursue its case against the Wyndham Hotel chain for lax security.
Businesses across the country have followed Wyndham’s challenge to the FTC’s authority as the primary regulator of issues related to consumer data security and privacy in the United States. U.S. District Court Judge Esther Salas’s decision confirms that the agency can use its powers under Section 5 of the Federal Trade Commission Act to bring actions alleging that defendants engaged in unfair practices by failing to live up to its data security promises.
Wyndham responded with a motion to dismiss with three arguments: a direct challenge to the FTC’s authority to assert an unfairness claim in the data security context; an assertion that the agency violated fair notice principles by not first promulgating regulations before bringing such a claim; and finally, that the FTC’s allegations were not sufficiently pleaded.
In an opinion that emphasized the “rapidly evolving” digital age “in which maintaining privacy, is, perhaps, an ongoing struggle,” the court refused “to carve out a data security exception” to the FTC’s authority.
Wyndham unsuccessfully argued that since several statutes specify the agencies with data security authority with regard to particular areas – like the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act – a grant of authority to the FTC by the court would render these superfluous. Wyndham also noted that legislation was pending in which specific jurisdiction over data security would be granted to the agency. But Judge Salas disagreed and ruled that Congress conferred broad authority upon the FTC under Section 5 of the FTC Act and the subsequent data security legislation “seems to complement – not preclude – the FTC’s authority.” The identified statutes “each set forth different standards for injury in certain delineated circumstances, granting the FTC additional enforcement tools.”
Comments made by various members of the FTC seeking additional regulatory powers in the data security ecosystem (e.g., a statement that “the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their websites, or portions of their websites, not directed to children”) did not convince Judge Salas that the agency had explicitly disclaimed data security authority.
The court also rejected Wyndham’s argument that the agency was required to first promulgate regulations before bringing enforcement actions or companies would have no guidance as to what could be actionable in the data security context. Because the FTC needs flexibility to adjust its actions to a range of industries and constantly changing technology, the court said formally published rules were not required.
It noted that agencies in other circumstances bring enforcement actions without guidance, including the National Labor Relations Board and the Occupational Safety and Health Administration: “[T]he contour of an unfairness claim in the data security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases rising out of unprecedented situations’. . . . Moreover, the court must consider the untenable consequence of accepting [Wyndham’s] proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions – a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”
Accepting Wyndham’s position would otherwise lead “to the following incongruous result: [Wyndham] can explicitly represent to the public that it ‘safeguard[s]…personally identifiable information by using industry standard practices’ and makes ‘commercially reasonably efforts’ to make collection of data ‘consistent with all applicable laws and regulations’ – but that, as a matter of law, the FTC cannot even file a complaint in federal court challenging such representations without first issuing regulations,” Judge Salas said.
In denying Wyndham’s motion to dismiss, the court concluded that the FTC’s complaint otherwise satisfied pleading requirements.
The court added that it was not rendering a decision on liability and “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Although the court’s ruling confirms that the FTC has the authority to assert an “unfair” or “deceptive” claim in the data-security context, the case will move forward on the issue of whether Wyndham’s data security practices constituted a violation of Section 5 of the FTC Act.
To read the opinion in FTC v. Wyndham Worldwide Corporation, click here.
Why it matters: Judge Salas’s decision puts businesses on notice that their privacy policies and procedures are fair game for FTC oversight. Some uncertainty does remain, however, as pointed out by Wyndham. Without existing guidance from the FTC as to what constitutes unfair and deceptive practices, companies must maintain reasonable security to avoid an agency action. Unless and until Congress enacts comprehensive general legislation which sets forth a more specific standard of compliance, companies can help protect themselves by reviewing their information collection and security practices, by carefully evaluating the type of information collected from customers or users of its Web sites, by confirming that all data collected is transmitted and stored securely, and by ensuring that all privacy and data-security representations accurately describe the practices.