Federal Court Refuses to Dismiss FTC Data Security Authority

On April 7, 2014, in a landmark decision with broad implications for American businesses, the U.S. District Court for the District of New Jersey upheld the U.S. Federal Trade Commission’s authority to regulate data security practices under the unfairness provision of the Federal Trade Commission Act (FTC Act).  In FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019, --- F. Supp. 2d ---- (D.N.J. Apr. 7, 2014), the court ruled that the FTC may proceed with its lawsuit against affiliates of Wyndham Hotel and Resorts, LLC (Wyndham), which had been victims of computer hacking.  The FTC charged that Wyndham violated section 5(a) of the FTC Act by failing “to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”  In August 2012, we highlighted the FTC's efforts in pursuing this action against Wyndham.

Federal regulation of data security has largely focused on specific industry sectors, including health care services under the Health Insurance Portability and Accountability Act (HIPAA), financial services under the Gramm-Leach-Bliley Act (GLBA), and consumer reporting under the Fair Credit Reporting Act (FCRA).  This approach left regulation and enforcement of data security outside of these specific sectors largely to the states.  The FTC has sought to fill this space and become an omnibus data security enforcer in the federal government by using its general authority to bring unfairness and deception claims under the FTC Act.  Since the late 1990s, the Commission has brought dozens of legal actions against organizations that have been alleged to have violated consumers’ privacy rights or failed to maintain adequate security for sensitive personal information.  These prior enforcement actions have all settled.  The Wyndham decision represents the first judicial recognition of the FTC’s general authority over data security practices.

Background

Between 2008 and 2010, Wyndham allegedly experienced three data breaches that led to hackers stealing more than 619,000 consumer credit-card accounts and committing fraud worth $10.6 million.  The FTC sued Wyndham under Section 5 of the FTC Act, 15 U.S.C. § 45(a), which prohibits “unfair or deceptive acts or practices in or affecting commerce.”  The FTC, which has recently appealed to Congress for more express authority to regulate data security, alleges that Wyndham’s conduct was both unfair and deceptive for failing to implement proper data security measures.  In prior cases, the FTC has alleged that inadequate data security is either (1) deceptive because it contradicts promises made in company privacy policies; or (2) unfair because it creates an unavoidable harm to consumers that is not outweighed by other benefits. 

In response to the FTC’s suit, Wyndham claimed that the FTC had failed to state a case for relief and asked the court to dismiss the case.  Specifically, in reference to unfairness, Wyndham claimed that: (1) the FTC lacks authority to regulate data security under Section 5, shown by Congress’ activity in erecting alternative data security laws to regulate specific industries; (2) the FTC’s failure to promulgate specific regulations before bringing this claim offends fair notice principles and, thereby, violates the Due Process Clause of the 5th Amendment; and (3) the FTC has failed to plead sufficient harm to consumers or show that any such harm was caused by Wyndham’s actions.  Wyndham also moved to dismiss the FTC’s deception claim, which asserts that Wyndham’s website deceptively stated that Wyndham reasonably protected consumers’ privacy. [1] The court denied both motions. [2]

Summary of the Court’s Holding

First, the court rejected Wyndham’s contention that subsequent data security legislation and the Commission’s own representations of lack of authority precluded the FTC’s jurisdiction over data security.  Rather, the court held that there was room for an interpretation that alternative data protection legislation complements, rather than preempts, the FTC’s authority.  Furthermore, the FTC had not unequivocally disclaimed authority to bring any unfairness claim involving data security.  Importantly, the few FTC statements that Wyndham brought to the table were made in congressional hearings and reports in a three-year period well over a decade ago.  Since then, the Commission has consistently taken the position that it has such authority under Section 5.

Second, the court stated that the FTC was not required to promulgate specific regulations in advance of enforcement.  Rather, the FTC has the choice of proceeding in its enforcement by rulemaking or individual adjudication.  In addition, the court highlighted that a number of federal courts of appeals have affirmed FTC unfairness actions in a variety of contexts without preexisting rules or regulations.  The court found that the FTC is not necessarily required to formally publish rules and regulations since Section 5 is necessarily flexible. 

Third and finally, the court found that the FTC had alleged sufficient facts that Wyndham’s failure to address security issues led to substantial injury to consumers.  Perhaps in a harbinger of things to come, the court commented in a footnote that, “The parties contest whether non-monetary injuries are cognizable under Section 5 of the FTC Act.  Although the court is not convinced that non-monetary harm is, as a matter of law, unsustainable under Section 5 of the FTC Act, the court need not reach this issue given [the court’s analysis of the FTC’s allegations that consumers and businesses have suffered financial harm].  Importantly, the court highlighted that this opinion does not render a decision on liability and does “not give FTC a blank check to sustain a lawsuit against every business that has been hacked.” 

Detailed Analysis                  

The district court’s rulings reflect how difficult it will be for defendants to successfully challenge an FTC action at the pleading stage if other courts follow the reasoning of the Wyndham court.

1. Section 5(a)’s prohibition of “acts or practices in or affecting commerce” that are “unfair” authorizes the FTC to challenge data security practices.

The Wyndham court did not accept Wyndham’s reliance on FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), which rejected the FDA’s attempt to regulate tobacco products.  The court found that, unlike tobacco, Congress had not carved out data security regulation in the FTC Act, either in the original act or in intervening legislation.  Wyndham argued that intervening legislation—including FCRA,  GLBA, HIPAA and the Children’s Online Privacy Protection Act—explicitly grants the FTC authority to regulate certain data security practices and that those legislative grants of authority would have been unnecessary if the FTC already had the power to regulate data security under Section 5(a) of the FTC Act.  The district court rejected this argument, finding that the specific grants of authority are not incompatible with the FTC’s unfairness authority over data security.

2. Fair notice did not require the FTC to formally issue rules or regulations about data security practices before bringing its unfairness claim.

Wyndham argued that the FTC’s reasonableness standard, absent specific rules and regulations to provide guidance, fails to provide a baseline level of fair notice given “the highly complex and sophisticated world of data security.”  The court ruled that Section 5’s prohibitions are flexible and necessarily give the FTC authority to apply them on a case-by-case basis.  The court analogized the FTC to the National Labor Relations Board, which brings enforcement actions based on whether parties have bargained collectively “in good faith,” and the Occupational Health and Safety Administration, which enforces an employer’s general duty to provide a safe workplace.  In fact, the court found the fair notice argument particularly unpersuasive in light of Wyndham’s own privacy policy.  The policy, referencing “industry standards” and “reasonable efforts,” allegedly mirrors the standard that the FTC argues it is enforcing.

3.  The FTC adequately pleaded substantial, unavoidable injury and otherwise satisfied its pleading requirements on its unfairness claim.

To prove an unfair practice under the FTC Act, the FTC must prove that the unfair practice caused “substantial injury to consumers which is not reasonably avoidable by consumers themselves.”  Wyndham argued that the FTC will be unable to prove such substantial, unavoidable consumer injury because federal law places a $50 limit on consumer liability for unauthorized use of a payment card and all major credit cards waive liability for even this small amount.  The court rejected that argument because, on a motion to dismiss, the court is required to accept all allegations made by the FTC as true, and the FTC pleaded substantial actual injury to consumers, including “more than $10.6 million in fraud loss” and “unreimbursed fraudulent loss” to both consumers and businesses.  It will be interesting to see whether the FTC will be able to sustain this claim on summary judgment.

The FTC Act also requires proof of causation.  The district court ruled that the FTC’s allegations that, among other things, Defendants “failed to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess” and that hackers were able to access an administrative account by guessing user names and passwords were sufficient to plead causation.

4. The FTC adequately pleaded its deception claim.

Courts have split on the issue of whether the particularized pleading requirements of Federal Rule of Civil Procedure 9(b) apply to deception claims under the FTC Act. The Wyndham court was skeptical that strict pleading applied to the deception claim but found that, even if it did, the FTC had adequately pleaded its claim by alleging that Wyndham represented that it “safeguards” its customers’ information to “industry standards,” but that it allegedly failed “to adequately inventory computers . . . so that Defendants could appropriately manage the devices on its network;” “to employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations;” and “to follow proper incident response procedures, including failing to monitor [Wyndham’s] computer network for malware used in a previous intrusion.”

Conclusion

It remains to be seen whether Wyndham will continue to aggressively defend itself or will now choose to pursue a settlement with the FTC.  One possibility is that Wyndham could ask the district court to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power.  It would be unlikely for the court to grant such an extraordinary appeal.  If an interlocutory appeal were denied or not sought, Wyndham would need to wait to appeal its challenge to FTC authority until after a decision on the merits.  Of course, in the meantime, the FTC, having survived this motion to dismiss, still has the burden of proving its case.

Should Wyndham seek to settle the case, the typical characteristics of such data security settlements with the FTC are well known. In addition to paying a substantial civil penalty, defendants usually agree to put in place a comprehensive information security program appropriate to their size, the nature of what they do, and the sensitivity of the information processed.  As part of this data security program, they are usually required to:

• Name an employee who will be accountable for the program.
• Identify inside and outside risks.
• Put safeguards in place to control those risks and regularly test key systems and procedures.
• Use reasonable steps to choose service providers and contractually obligate them to abide by minimum data security standards.
• Modify the data security program as technologies and procedures evolve, as well as in response to emerging threats.
• Retain an independent auditor to certify the adequacy of the program every year or at least every other year for 20 years.

The Wyndham case is not the only ongoing litigation challenging the FTC’s authority to regulate data security under Section 5.  In LabMD, Inc. v. FTC, No. 14-00810 (N.D. Ga.), LabMD seeks an injunction to block the FTC’s administrative enforcement action against it for its alleged failure to provide adequate data security.  LabMD is similarly challenging the FTC’s authority to regulate data security.  An interesting aspect of the LabMD case is that as a HIPAA-covered entity, LabMD claims that its data security practices are governed only by HIPAA and data security enforcement is the sole province of the Department of Health and Human Services.  On April 7, relying in part on the Wyndham ruling, the FTC moved to dismiss an action in the Northern District of Georgia.  We will keep you apprised as both cases develop.

[1] Wyndham resisted the deception claim largely on the basis that the FTC had failed to link the privacy policies and practices of parent and subsidiary branches of the company.  

[2] Wyndham affiliates other than Wyndham Hotels and Resorts have separately moved to dismiss the claims against them, arguing that the FTC has not pleaded that they are directly liable and cannot adequately plead derivative liability.  That motion is currently pending.