In FTC v. Wyndham Worldwide Corp., No 13-1887, 2014
U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014)—a case closely
watched by privacy and data security professionals across the
United States—a federal district court held that the Federal
Trade Commission ("FTC") has authority under Section 5 of
the Federal Trade Commission Act ("Act")1 to
regulate data security practices and to bring enforcement actions
targeting those practices deemed insufficient.2
Notwithstanding any appeal in the case, the FTC's increasingly
active role of late in regulating data security practices and the
federal district court's decision in Wyndham means that
businesses should assess and, where appropriate, implement security
measures that meet industry standards. Businesses should also
review existing privacy policies in order to ensure consistency
with actual practices.
Section 5 of the Act prohibits "unfair or deceptive acts or
practices in or affecting commerce."3 To date, the
FTC has initiated over 50 enforcement actions under Section 5 of
the Act that relate to a company's data security practices, and
has variably relied on the deceptive or unfair practice prongs of
the Act, or a combination of the two.4 Under a deceptive
practices theory, the FTC has alleged that a company, through its
privacy policy or other similar statements, misrepresented its data
security practices by overstating the protective measures in place
to safeguard consumer data.5 Under an unfair practices
theory, the FTC has pursued companies that have failed "to
employ reasonable and appropriate security measures to protect
personal information and files."6 Prompted by three
data breaches suffered by Wyndham from mid-2008 through the end of
2009, the FTC filed a complaint in June 2012 alleging that Wyndham
had violated both prongs of the Act.
In its complaint, the FTC alleged that Wyndham violated the
deceptive practices prong of the Act by misrepresenting in its
online privacy policy that it "had implemented reasonable and
appropriate measures to protect personal information against
unauthorized access" when, in reality, it had not.7
The FTC further alleged that Wyndham violated the unfair practices
prong of the Act by failing "in numerous instances . . . to
employ reasonable and appropriate measures to protect personal
information against unauthorized access," in that Wyndham
"failed to employ commonly used methods to require user IDs
and passwords that are difficult for hackers to guess,"
"failed to adequately inventory computers connected to [its]
network," and "failed to use readily available security
measures [such as firewalls] to limit access between and
among" its various computer systems.8 Rather than
settling these charges by agreeing to a Consent Agreement with the
FTC, as other businesses commonly do, Wyndham challenged the
FTC's authority under the Act to regulate data security
practices. In an order denying Wyndham's motion to dismiss the
FTC's action, however, the court rejected Wyndham's
challenge and affirmed the FTC's authority.
First, the court rejected Wyndham's claim that given the
"recent data-security legislation and the FTC's public
statements," it is clear that the FTC does not have the power
to "assert an unfairness claim in the data-security
context."9 The court explained that recent
legislation is not clearly incompatible with the notion that the
FTC has existing authority to regulate data security.10
Rather, the court explained that the new legislation supplements
the FTC's existing authority.11
Second, the court rejected Wyndham's claim that the "FTC
must formally promulgate regulations before bringing an unfairness
claim" so that businesses have fair notice of what they must
do in order to avoid an unfairness complaint.12 In
rejecting this assertion, the court noted that agencies can
regulate through general rulemaking or individual adjudication, and
that businesses can look to recent FTC consent agreements and
public releases on data security for guidelines on appropriate
security measures.13
Finally, the court rejected Wyndham's claim that the FTC was
without authority to assert a claim against Wyndham because the
data breaches did not cause consumers "substantial
injur[ies]" that were not "reasonably avoidable,"
which is required by the Act as a prerequisite to the FTC's
enforcement authority.14 The court explained that
whether consumers suffered financial injuries that were not
reasonably avoidable was a factual inquiry that could not be
resolved in a motion to dismiss.15 Although the court
left open the possibility that the FTC's enforcement action
ultimately may fail should discovery reveal that consumers did not
actually suffer a substantial injury, the court effectively
reaffirmed the FTC's asserted authority to regulate data
security practices.
Given the increased scrutiny of privacy and data security
practices that has arisen following recent, highly publicized data
breaches suffered by large retailers, the court's decision may
very well embolden the FTC to become even more active in regulating
data security practices across numerous industries, many of which
lack formal regulations or guidelines. Companies subject to FTC
enforcement jurisdiction should therefore review their privacy and
data security policies and implement industry-standard practices in
order to mitigate potential FTC enforcement actions premised on
deceptive or unfair practice claims.
Footnotes
1 15 U.S.C. § 45(a) (2012).
2 FTC v. Wyndham Worldwide Corp., Civ. A. No. 13-1887, 2014 U.S.
Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014).
3 15 U.S.C. § 45(a)(1) (2012).
4 See Enforcing Privacy Promises, The Federal Trade Commission
(Apr. 8, 2014), http://1.usa.gov/1kr1hwZ; see also Legal
Resources, The Federal Trade Commission (Apr. 8, 2014), http://www.business.ftc.gov/legal-resources/29/35.
5 See, e.g., Complaint, In the Matter of Twitter, Inc., FTC
Case No. C-4316, at 5, available at
http://www.ftc.gov/sites/default/files/documents/cases/2005/09/092305comp0423160.pdf.
6 See, e.g., Complaint, In the Matter of BJ's Wholesale
Club, Inc., FTC Case No. C-4148, at 3, available at http://www.ftc.gov/sites/default/files/
documents/cases/2005/09/092305comp0423160.pdf.
7 First Am. Compl. at 18-19, FTC v. Wyndham Worldwide
Corp., No. CV 12-1365 (D. Ariz. Aug. 9, 2012).
8 Id.; Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at
*52-53.
9 Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at
*16.
10 Id. at *16-25.
11 Id. at 19.
12 Id. at 30-31.
13 Id. at 31, 40-41.
14 15 U.S.C. § 45(n) (2012) ("The Commission shall have
no authority . . . to declare unlawful an act or practice on the
grounds that such act or practice is unfair unless the act or
practice causes or is likely to cause substantial injury to
consumers. . . ."); see also Wyndham Worldwide Corp., 2014
U.S. Dist. LEXIS 47622 at *45-46 (rejecting Wyndham's assertion
that, as a matter of law, affected consumers did not suffer
substantial injuries as a result of the data
breaches).
15 Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at
*46-55.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.