On April 7, 2014, the U.S. District Court for the District of New Jersey became the first court to hold that the Federal Trade Commission has authority to regulate businesses’ unfair data security practices. In denying a motion to dismiss, the court held not only that the FTC has the authority to bring a claim for unfair data security practices, but also that the agency need not issue formal regulations before it brings an unfairness claim.

The court’s decision sets an important precedent in favor of the FTC, which, by its own count, has settled more than 50 enforcement actions relating to data security standards as of early 2014. Recently, for example, the FTC settled two claims against mobile application developers, Fandango and CreditKarma, for unfair and deceptive trade practices related to the developers’ alleged failure to implement default data security measures in their mobile applications.

For businesses that handle consumers’ information, the decision is significant for two reasons. First, it demonstrates that the FTC will continue to play a prominent role in enforcing unfair data security practices. Second, it signals such businesses must continue to look primarily to the FTC’s public guidance and enforcement history for notice of the data security practices the agency may find unfair. Nonetheless, additional challenges to the FTC’s unfairness authority remain, and the continuing litigation on the scope of this statutory authority bears attention.

The Court’s Decision

In its August 9, 2012 amended complaint against Wyndham Hotels and Resorts, LLC, et al. (Wyndham), the FTC alleged that Wyndham had engaged in unfair and deceptive trade practices in connection with three data breaches it suffered between 2008 and 2010 that compromised customers’ payment card data. According to the FTC, the breaches were accomplished via similar technological means—third parties accessing Wyndham’s network through administrative accounts and installing memory-scraping malware that collected consumers’ payment card data stored in Wyndham’s Phoenix data center. The filing of the complaint represented a warning shot not just to the hospitality industry, but to all businesses that collect significant amounts of customer data.

In its unfairness claim, the FTC alleged that Wyndham “failed to provide reasonable and appropriate security for the personal information collected and maintained by [Wyndham].” Specifically, the agency alleged that Wyndham’s data security practices were “inadequate,” and listed several data security practices that, when taken as a whole, amounted to unfair business practices. These practices included:

  • Failure to use mechanisms, such as firewalls, to limit access to Wyndham’s network;
  • Storage of payment card data in “clear, readable text;”
  • Failure to ensure local computers had adequate protections before connecting them to the network;
  • Failure to remedy known vulnerabilities to network and device software;
  • Use of default or easily guessed user IDs and passwords;
  • Failure to keep a proper inventory of the devices connected to its network;
  • Improper incident-response procedures;
  • Failure to retain and exercise control over third-party vendor access to the network.

To remedy Wyndham’s claimed failures, the FTC sought, in its amended complaint, a permanent injunction and any other equitable relief that the court would find appropriate.

On April 26, 2013, Wyndham moved to dismiss the case, but its arguments primarily focused on attacking the FTC’s unfairness claim. Wyndham challenged that claim on several grounds, arguing that (1) the FTC has no statutory authority to regulate data security practices as unfair, (2) the FTC failed to provide businesses with proper notice as to what data security practices were inadequate or unfair, and (3) the FTC failed to allege critical elements of an unfairness claim. Wyndham also challenged the sufficiency of the FTC’s deceptive trade practices allegations.

At oral argument on November 7, Wyndham aggressively challenged the FTC’s authority to bring unfairness cases. Not only did it argue that the FTC lacked authority to regulate data security as a general matter, but also suggested that a formal rule must be in place before the agency can bring any unfairness action. If accepted by the court, these arguments would mark a sea change in the U.S. regulatory landscape and drastically reduce the scope of the FTC’s authority. However, on April 7, 2014, the court rejected each of Wyndham’s arguments.

First, the court distinguished Wyndham’s challenge to the FTC’s authority from FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), in which the Supreme Court held that Congress had excluded from the FDA’s jurisdiction the authority to regulate tobacco products. Wyndham relied on Brown & Williamson to argue that Congress had precluded the FTC’s authority over data security by passing laws specifically regulating businesses’ online interactions, such as the Children’s Online Privacy Protection Act. The court disagreed, holding that the FTC’s unfairness authority over data security did not “plainly contradict congressional policy” and noting that relevant legislation complemented rather than precluded the FTC’s authority over data security. The court also found that the FTC had not disavowed unfairness authority over data security (as the FDA had done regarding tobacco products), and that the legislative history of the FTC Act demonstrated that the FTC’s unfairness authority was not cabined to particular practices.

Second, the court held that fair notice does not require the FTC “to formally issue rules and regulations before it can file an unfairness claim in federal district court.” The court relied on previous Courts of Appeals’ decisions affirming FTC unfairness actions without preexisting rules or regulations addressing the conduct at issue. The court found that “the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure” could satisfy the fair notice standard. In rejecting Wyndham’s arguments to the contrary, the court found the consequence of that argument—that “the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions”—to be “untenable.”

Third, the court held that the FTC had sufficiently alleged claims for unfair and deceptive trade practices in violation of 15 U.S.C. § 45(a). With respect to the unfairness claim, the court found that the FTC’s allegations of misuse of consumers’ payment card information satisfied the “substantial injury to consumers” element required by 15 U.S.C. § 45(n). The court also refused to conclude at this stage that consumers could have reasonably avoided the alleged harm. With respect to the deception claim, the court found that the FTC sufficiently alleged Wyndham had made deceptive statements about its data security practice. The court suggested that the impressions of a reasonable consumer upon reading a privacy policy involve factual issues it could not resolve on a motion to dismiss.

FTC Continues To Enforce Unfair Data Security, But Future Activity Remains Unclear

The court’s decision comes during a period of increasing activity for the FTC in the data security arena. FTC Chairwoman Edith Ramirez recently testified to Congress, encouraging it to pass data security legislation, specifically legislation governing data breach notices. In support of the FTC’s position, Ramirez testified that the FTC has settled 50 cases involving businesses’ failure to appropriately protect consumers’ personal information.

Nonetheless, the FTC’s fight to defend its unfairness authority in the data security sphere is far from over. Wyndham may appeal the district court’s decision, but the FTC already faces another challenge to its unfairness authority from LabMD, Inc. (“LabMD”). There, LabMD sought to dismiss an administrative complaint the FTC had filed alleging that LabMD had engaged in unfair business practices by failing to adequately protect consumers’ information. In its motion to dismiss – and in two federal actions LabMD filed in the District Court for the District of Columbia and the Eleventh Circuit Court of Appeals – LabMD argued that the FTC did not have authority to enforce against LabMD’s data security practices because it was already governed by the Health Insurance Portability and Accountability Act. The FTC disagreed and denied LabMD’s motion to dismiss. Shortly thereafter, in February 2014, the Eleventh Circuit dismissed LabMD’s action for lack of jurisdiction, and LabMD voluntarily dismissed its complaint in the district court. On March 20, 2014, LabMD refiled its complaint, this time in the District Court for the Northern District of Georgia. LabMD seeks, among other relief, a declaratory judgment that the FTC does not have authority to regulate its data security practices. The FTC has moved to dismiss the action, and the court has set a hearing on LabMD’s motion for preliminary injunction for April 17, 2014.

Furthermore, even if the FTC prevails against both Wyndham and LabMD, the New Jersey federal court noted that its decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” For example, the court relied on the FTC’s allegations of unreimbursed and unauthorized charges to consumers’ payment cards to support its finding that the FTC adequately alleged a substantial injury to consumers. Although the court did not state that these allegations were necessary to avoid dismissal, its analysis suggests that actions in which the FTC cannot allege specific financial harms to consumers may not survive motions to dismiss. Thus, the door remains open for at least some future challenges.

For now, however, the court’s decision affirms both that businesses can face an enforcement action from the FTC in light of bad data security and that they should be mindful of the FTC’s prior data security guidance and enforcement activity in order to avoid such an action. With this precedent on the books, businesses will face an uphill battle if they seek to dismiss a claim similar to that alleged against Wyndham. In addition, because this court accepted the idea that the FTC can regulate unfair data security practices through its prior consent decrees, business ignore the FTC at their peril.

Conclusion

The court’s decision denying Wyndham’s motion to dismiss sets an important precedent, though it does not end the debate over the FTC’s authority to regulate unfair data security practices. Other courts have yet to weigh in on these important issues.

But, as a result of the Wyndham decision, the growing number of companies that handle consumers’ personal information can expect future data security enforcement from the FTC. Those companies should continue to monitor the FTC’s guidance and enforcement actions to assess the reasonableness of their data security practices. In particular, the court’s guidance on what constitutes fair notice by the FTC – the FTC’s public complaints and consent agreements, as well as its public statements and business guidance brochure – constitutes a roadmap for companies to use in establishing reasonable data security practices.