After the hotel chain Wyndham Worldwide Corporation (“Wyndham”) suffered three data security breaches in the span of two years, the Federal Trade Commission (“FTC”) brought suit against Wyndham under Section 5 of the FTC Act. The FTC alleged that Wyndham had engaged in unfair and deceptive trade practices by: (1) failing to implement reasonable and appropriate data security measures to secure its customers’ personal information; and (2) misrepresenting that it had implemented such reasonable and appropriate measures to its customers.
While a number of companies, like Google and RockYou, have chosen to settle these types of claims with the FTC rather than engage in extensive litigation, Wyndham decided to fight back. Wyndham filed a Motion to Dismiss challenging the FTC’s authority to regulate and enforce data security standards under Section 5. Despite the broad language of Section 5, which provides that “[t]he Commission is . . . empowered and directed to prevent persons, partnerships, or corporations . . . from using . . . unfair or deceptive acts in or affecting commerce,” Wyndham argued that Section 5 “did not authorize the FTC to regulate anything and everything that the Commission might deem ‘unfair.’”
In support of its position, Wyndham pointed to the fact that Congress enacted several other laws (e.g., the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLB), The Health Insurance Portability and Accountability Act (HIPPA), and the Health Information Technology for Economic and Clinical Health Act (HITECH Act)) which expressly authorize federal agencies to establish minimum data-security standards in certain industries. Wyndham reasoned that “[b]y delegating certain limited authority to the FTC to regulate data security in narrow sectors of the economy, Congress has foreclosed any interpretation of Section 5 that would give the Commission overarching authority to set data-security standards for all businesses operating in all industries.”
In response, the FTC argued that laws such as the FCRA, GLB, HIPPA, and the HITECH Act are complimentary to the FTC’s authority under Section 5 and do not preclude broader enforcement actions by the FTC. The FTC maintained that Congress deliberately delegated broad power to the FTC under Section 5 to address a variety of unfair or deceptive trade practices, including those related to data security standards.
Although the Court could decide the Motion to Dismiss on other grounds, if the decision rests upon a determination of the scope of the FTC’s authority under Section 5, the case will have a significant impact on the regulation of data security on the national level. If Wyndham prevails, the FTC may find itself without the authority to enforce data security standards under Section 5. Alternatively, if the FTC prevails, it is reasonable to assume the FTC would step up its enforcement actions against organizations with lax data security practices and policies.
Update: On April 7, 2014, the United States District Court of New Jersey issued an order denying Wyndham’s motion to dismiss. In addition to finding for the FTC on two other issues raised by Wyndham, the Court rejected Wyndham’s challenge to the FTC’s authority under Section 5 to regulate and enforce data security standards. Wyndham’s main argument on the issue was that subsequent laws enacted by Congress (such as the FCRA, GLBA, and HIPPA) acted to limit the FTC’s authority under Section 5, but the Court stated that these laws actually “seem[] to complement—not preclude—the FTC’s authority” under Section 5. In its opinion denying the motion to dismiss, the Court made efforts to ensure that its decision on the FTC’s authority are based on the specific facts in this case and stated “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Despite these qualifiers, the Court’s order to deny Wyndham’s motion to dismiss confers upon the FTC a broad authority to regulate data security standards under Section 5.
Wyndham has appealed to a Third Circuit panel. Oral arguments were heard on March 3, 2015 and the FTC filed a Supplemental Brief on March 27th. As of yet, no decision has been made by the Third Circuit as to whether the FTC has the authority to regulate data security.
Stay tuned as a decision should be rendered shortly.