In the latest and most important federal court decision on data security enforcement, District of New Jersey Judge Esther Salas broadly upheld the Federal Trade Commission’s authority to police data security under the “unfairness” prong of Federal Trade Commission Act Section 5. The decision, which rejected Wyndham Worldwide’s claims that the FTC lacked such authority, comes at a time when the FTC has received increasing criticism that its continued reliance on case-by-case adjudication (rather than rulemaking) to apprise companies of their data security responsibilities provides insufficient guidance regarding which data security standards apply. Indeed, the FTC’s increased enforcement trend coincides with efforts by the National Institute for Standards and Technology to establish more consistent voluntary standards regarding data security through its release of the cybersecurity framework as well as requests from the FTC to Congress for even more authority to police data breaches.
In an article I recently published on Law360 along with Evan Wolff and Chris Cole entitled “FTC Data Security Authority Remains Murky Despite Wyndham,” we explain how the Wyndham decision fits in the broader evolving data security landscape. As the article discusses, in the absence of unambiguous authority vested with the FTC, other agencies will continue to jump on the data security bandwagon in the coming year, raising further questions regarding who is really in charge and which standards will apply.