Last week, a highly anticipated question in data privacy was finally answered, clarifying the power of the Federal Trade Commission (FTC) to oversee commercial data security practices and to sue businesses that fail to secure customer information adequately from data breaches. F.T.C. v. Wyndham Worldwide Corp., CIV.A. 13-1887 ES, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). Refusing to “carve out a data security exception” from the FTC’s authority, U.S. District Court Judge Esther Salas held that the FTC’s enforcement powers under Section 5 of the Federal Trade Commission Act of 1914, 15 U.S.C. 45(a) (“FTC Act”) (prohibiting unfair or deceptive trade practices) extends to data breaches. Because State Attorneys General (AGs) have often been granted similar consumer protection authority under their state unfair and deceptive trade practices statutes, (UDAP statutes, commonly known as “mini-FTC Acts” which are largely analogs of the FTC Act), we can expect this decision to similarly empower AGs to sue companies for data breaches.
The FTC sued Wyndham Worldwide Corporation and its subsidiaries (collectively, Wyndham) over three data breaches of company computer systems alleged to have occurred between April 2008 and January 2010 that resulted in the loss of personal and transactional data for over 619,000 customers and over $10 million in losses to fraud. The FTC’s complaint alleged that Wyndham violated the FTC Act’s unfair trade practices prohibition due to its “failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection, and use” that “caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”
Wyndham moved to dismiss the FTC’s claims, arguing that Congress had not authorized the FTC to broadly regulate data security because of its enactments of industry-specific laws which contain data security standards, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act of 1996. The court found that these statutes did not contain consumer injury provisions and therefore did not conflict with FTC authorization under the FTC Act which could preclude Section 5 enforcement in the field.
Wyndham also argued that the FTC authority violated basic principles of fair notice and due process because the agency did not provide guidance or notice of what would constitute an unfair data security practice under the FTC Act. Finding that the FTC was not required to publish such regulations or guidance before bringing a Section 5 enforcement action, the court held FTC’s interpretations of the Act, “while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” Wyndham Worldwide, at *15 (citing Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141–42 (1976)). The court also cited the FTC’s public statements and brochures, as well as Wyndham’s references to standard industry practices, as providing indications of reasonable data security standards.
Now that the FTC has clear enforcement authority over data security, AGs cannot be far behind in asserting analogous authority under their mini-FTC Acts. The AGs have been very active in data security for years, and recent state enforcement actions and investigations of large data breaches (e.g., Target Corp., Neiman Marcus, Experian) as well as consumer concern have pushed this issue to the forefront. As we have said in past posts, AGs have made protecting their citizens’ data security and privacy a key priority, triggering close scrutiny of business practices and enforcement. After Wyndham, businesses must be attentive not only of the FTC, but also of State AGs including reviewing the substance of any complaints, consent decrees, and public statements by the agencies as data security standards and duties regarding data breaches continue to evolve in this highly dynamic field.