A recent United States District Court decision emphasizes the importance of business owners to assess and implement data security measures that comply with industry standards. In recent years, the Federal Trade Commission (FTC) has become increasingly active in regulating data security practices, initiating over 50 enforcement actions to date. In the first case to legally challenge the FTC's authority to regulate data security measures, the court’s ruling has potentially opened the door to more cyber-security compliance and legal risks for businesses.
On April 7, 2014, the United States District Court for the District of New Jersey held that the FTC could proceed with a lawsuit against Wyndham Worldwide based on its allegation that the hotel company’s security practices violated Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” that are “unfair” or “deceptive.” Prompted by three data breaches suffered by Wyndham between 2008 and 2010, the FTC brought suit against Wyndham in 2012, alleging that it had violated the Act by misrepresenting in its online privacy policy that it “had implemented reasonable and appropriate measures to protect personal information against unauthorized access” when it had not. In particular, the FTC alleged that Wyndham’s security included, among others, the following insufficiencies:
failing to use firewalls; permitting storage of payment card information in clear readable text; allowing its hotels to connect insecure servers to its computer network; permitting servers on its networks with commonly-known default user IDs and passwords; failing to use commonly-used methods to require user IDs and passwords that are difficult for hackers to guess; failing to monitor its computer network for malware used in a previous intrusion; and failing to restrict third-party access.
Moreover, the FTC claimed that after discovering these security breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” As a result, the FTC alleged that Wyndham had “exposed consumers’ personal information to unauthorized access, collection and use” that has or is likely to cause substantial consumer injury, including financial injury.
In response, Wyndham moved to dismiss the FTC’s complaint on the grounds that the FTC lacked authority under the Act to regulate data security practices. In denying Wyndham’s motion, however, the Court upheld, and perhaps inflated, the FTC’s authority to regulate such practices. Indeed, the Court’s opinion suggests very few, if any, constraints on the authority of the FTC to develop a common law of data protection requirements through case-by-case adjudication. Specifically, in response to Wyndham’s allegation that the “FTC must formally promulgate regulations before bringing an unfairness claim” to provide a business with fair notice of the requirements for compliance, the Court noted that FTC unfairness actions have been upheld in a variety of contexts without preexisting rules or regulations specifically addressing the conduct at issue. As a result, the Court held that the FTC can regulate through general rulemaking or individual adjudication. Thus, a business must look to the rulings, interpretations and opinions of the FTC for guidance, and need not be afforded with particular notice of what constitutes “unfair” conduct.
The Court also rejected Wyndham’s claim that the three data breaches at issue did not cause consumers any “substantial injury” because consumers could have their payment card issuer rescind any unauthorized charges. In doing so, the Court explained that whether consumers suffered financial injuries that were not reasonably avoidable is a factual inquiry that cannot be resolved in a motion to dismiss. The Court, therefore, implied that if discovery does not reveal any evidence of substantial injury suffered by consumers, Wyndham may prevail against the FTC. Nonetheless, the Court’s ruling on this point equates to an affirmation of the FTC’s authority to regulate data security practices.
Overall, this Court’s opinion suggests very few, if any, constraints on the authority of the FTC to enforce Section 5 of the FTC Act, and prosecute potential violations thereof. Indeed, the opinion makes clear that the FTC: (1) need not promulgate specific regulations informing entities as to what activities constitute “unfair or deceptive acts or practices in or affecting commerce,” and (2) need not plead with much particularity the basis for its allegation that consumers have suffered “substantial injury” as a result of such conduct.
As a result, businesses should take extra caution to avoid an FTC investigation and possible enforcement action. Specifically, they should be aware of standards for data protection practices in their respective industries, and should carefully and regularly review their own consumer data protection and privacy practices to ensure that they meet such standards. The recent opinion makes plain that taking these precautions is the cornerstone of complying with Section 5 of the FTC Act, and is critical to mitigate the risk of suffering the burden and expense of an FTC enforcement action.