In the rapidly evolving world of cybersecurity, one open issue is: Who is enforcing the laws that protect the public in a data breach? A federal court provided some guidance on this important issue when it allowed the Federal Trade Commission (FTC) to pursue a data security breach complaint against Wyndham Hotels (Wyndham).
The alleged data breach
Wyndham uses a “property management system” to, among other things, handle reservations and payment card transactions. The system stores customers’ personal information, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Between April 2008 and January 2010, hackers accessed Wyndham’s property management system on three separate occasions and gained access to personal information, including credit card information, stored on the system.
The FTC’s complaint
In a complaint against Wyndham, the FTC alleges that since at least April 2008, Wyndham failed to provide reasonable and appropriate security for the personal information it collected and maintained and its practices, collectively, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft. The FTC relied on Section 5 of the 1914 Federal Trade Commission Act as its authority to protect the public from “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” 15 U.S.C. §45(a).
Attacking the FTC’s ability to even bring the complaint, Wyndham asked the court to dismiss the FTC’s complaint on three grounds:
- The FTC lacks authority to assert an unfairness claim in the data security context;
- The FTC violates fair notice principles without first formally promulgating regulations before bringing its unfairness claim; and
- The FTC’s allegations are not specific enough to support either an unfairness or deception claim.
While the court recognized maintaining privacy in a “digital age” is an “ongoing struggle,” it rejected each of Wyndham’s arguments that data security protection is outside the scope of the FTC’s authority. Denying Wyndham’s motion, the court allowed the FTC to bring claims under the Federal Trade Commission Act in the data security context.
The court’s opinion
- Authority to bring an unfairness claim
Wyndham first challenged the FTC’s ability to bring a claim related to data security. Wyndham argued that the overall statutory scheme of data security legislation does not authorize the FTC to generally establish data security standards for the private sector.
Rejecting Wyndham’s argument, the court held that it was unwilling to carve out a data security exception to the FTC’s authority. The court noted that Wyndham failed to demonstrate how the FTC’s authority over data security would lead to a result that is incompatible with more recent legislation and thus, would plainly contradict congressional policy. Instead, the court noted that federal data security regulation seems to compliment the FTC’s authority by specifically granting the FTC substantive authority over data security practices.
- FTC failed to provide fair notice
Next, Wyndham contended that even if the FTC had sufficient authority, it would violate basic principles of fair notice and due process to hold Wyndham liable because the FTC has not promulgated rules, regulations or other guidelines explaining the data security standards it is attempting to enforce. Again rejecting Wyndham’s argument, the court found that the Federal Trade Commission Act is flexible enough to encompass data security protection without requiring the FTC to issue regulations. Consequently, the FTC did not violate Wyndham’s rights by failing to provide fair notice and due process.
- Pleading unfairness and deception claims with specificity
Finally, Wyndham argued that the FTC’s complaint failed to assert how the alleged data security failures caused the intrusions or resulted in particular consumer harm. The court found that the FTC sufficiently raised a claim of harm to consumers to meet the federal requirements. The court also held that the FTC adequately plead that the substantial injury was not reasonably avoidable.
Having dismantled each of Wyndham’s arguments, the court denied the company’s motion to dismiss the FTC’s complaint. This decision is not the end of this matter. The case will now proceed through discovery and, possibly, to trial.
Why this case matters
The FTC has filed many security breach related lawsuits by invoking its powers under the Federal Trade Commission Act. Most of those cases have been resolved out of court. The Wyndham case is significant because it is the first opinion regarding the FTC’s authority to bring security breach cases under the authority of Section 5 of the Federal Trade Commission Act by alleging unfair or deceptive acts. With consumers demanding increased data security and lawmakers looking to hold companies accountable, this case may give the FTC the green light to become the new data security watchdog. One thing is clear, companies should expect the number of FTC filings against businesses based upon security breaches to increase in light of the Wyndham case granting the FTC authority to bring such cases.
For more information, please contact one of the attorneys listed below.