A recent United States District Court decision emphasizes the importance of business owners to assess and implement data security measures that comply with industry standards. In recent years, the Federal Trade Commission (FTC) has become increasingly active in regulating data security practices, initiating over 50 enforcement actions to date. In the first case to legally challenge the FTC's authority to regulate data security measures, the court’s ruling has potentially opened the door to more cyber-security compliance and legal risks for businesses.
failing to use firewalls; permitting storage of payment card information in clear readable text; allowing its hotels to connect insecure servers to its computer network; permitting servers on its networks with commonly-known default user IDs and passwords; failing to use commonly-used methods to require user IDs and passwords that are difficult for hackers to guess; failing to monitor its computer network for malware used in a previous intrusion; and failing to restrict third-party access.
Moreover, the FTC claimed that after discovering these security breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” As a result, the FTC alleged that Wyndham had “exposed consumers’ personal information to unauthorized access, collection and use” that has or is likely to cause substantial consumer injury, including financial injury.
In response, Wyndham moved to dismiss the FTC’s complaint on the grounds that the FTC lacked authority under the Act to regulate data security practices. In denying Wyndham’s motion, however, the Court upheld, and perhaps inflated, the FTC’s authority to regulate such practices. Indeed, the Court’s opinion suggests very few, if any, constraints on the authority of the FTC to develop a common law of data protection requirements through case-by-case adjudication. Specifically, in response to Wyndham’s allegation that the “FTC must formally promulgate regulations before bringing an unfairness claim” to provide a business with fair notice of the requirements for compliance, the Court noted that FTC unfairness actions have been upheld in a variety of contexts without preexisting rules or regulations specifically addressing the conduct at issue. As a result, the Court held that the FTC can regulate through general rulemaking or individual adjudication. Thus, a business must look to the rulings, interpretations and opinions of the FTC for guidance, and need not be afforded with particular notice of what constitutes “unfair” conduct.
The Court also rejected Wyndham’s claim that the three data breaches at issue did not cause consumers any “substantial injury” because consumers could have their payment card issuer rescind any unauthorized charges. In doing so, the Court explained that whether consumers suffered financial injuries that were not reasonably avoidable is a factual inquiry that cannot be resolved in a motion to dismiss. The Court, therefore, implied that if discovery does not reveal any evidence of substantial injury suffered by consumers, Wyndham may prevail against the FTC. Nonetheless, the Court’s ruling on this point equates to an affirmation of the FTC’s authority to regulate data security practices.
Overall, this Court’s opinion suggests very few, if any, constraints on the authority of the FTC to enforce Section 5 of the FTC Act, and prosecute potential violations thereof. Indeed, the opinion makes clear that the FTC: (1) need not promulgate specific regulations informing entities as to what activities constitute “unfair or deceptive acts or practices in or affecting commerce,” and (2) need not plead with much particularity the basis for its allegation that consumers have suffered “substantial injury” as a result of such conduct.
As a result, businesses should take extra caution to avoid an FTC investigation and possible enforcement action. Specifically, they should be aware of standards for data protection practices in their respective industries, and should carefully and regularly review their own consumer data protection and privacy practices to ensure that they meet such standards. The recent opinion makes plain that taking these precautions is the cornerstone of complying with Section 5 of the FTC Act, and is critical to mitigate the risk of suffering the burden and expense of an FTC enforcement action.