Post a comment
Print articleThe FTC Act and Data Breaches: FTC v. Wyndham Worldwide Corp.
June, 2014 - John J. Delionado and Douglas C. Dreier
At the turn of the 21st century, various high-ranking Federal Trade Commission (FTC) officials stated that the Federal Trade Commission Act does not create requirements for what data-security measures companies must enact to ensure that private information is protected. The FTC Act’s catch-all prohibition against “unfair” or “deceptive” acts or practices, 15 U.S.C. § 45(a), was not believed to cover the data-breach and cyber security domain. Accordingly, if the federal government were to craft strict requirements for security, Congressional action (or at least an executive order) was required.
But that was over a decade ago. During the past decade, the FTC pursued several companies with high-profile breaches (e.g., TJX, Heartland, Accretive Health). Then in June 2012, the FTC sued Wyndham Worldwide Corp. and several related entities. Few companies challenged the FTC’s authority as directly as Wyndham did, and the FTC took undeniably aggressive action against Wyndham. Perhaps frustrated by Wyndham’s prior data breaches and its alleged failure to remediate – and perhaps also frustrated by Congress’s inability to pass comprehensive legislation on this subject (see, e.g., the failure of the Cyber Intelligence Sharing and Protection Act, first introduced on November 30, 2011) – the FTC decided to sue Wyndham under the FTC Act’s general prohibition on unfair or deceptive acts or practices.
On April 7, 2014, the U.S. District Court for the District of New Jersey issued its order and opinion on a motion to dismiss by one of the Wyndham defendants. FTC v. Wyndham Worldwide Corp., No. 13-1887 (D.N.J. Apr. 7, 2014). The defendant’s motion to dismiss argued three issues: (1) that the FTC lacks authority to assert an unfairness claim in the context of data security; (2) that the FTC must formally promulgate specific regulations before bringing an unfairness claim; and (3) that the FTC failed to plead with sufficient particularity a violation of the FTC Act. After review, the court denied the motion to dismiss in every respect.
First, the court rejected the defendant’s argument that the FTC lacks authority to assert an unfairness claim. The court refused to carve out a data-security exception to the FTC’s authority and saw no reason why poor data-security measures could not be deemed to be unfair. The FTC Act defines “unfair” acts or practices as those that “cause[] or [are] likely to cause substantial injury to consumers which [are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). This broad statutory definition for “unfair” would seem to cover poor data-security measures, so long as those measures cause or are likely to cause substantial injury that is not reasonably avoidable and not outweighed by “countervailing benefits.”
Second, the court rejected the defendant’s argument that the FTC failed to provide fair notice that the defendant’s conduct was illegal. The court characterized defendant’s fair notice argument as requiring that the FTC formally promulgate specific rules before it could sue under the FTC Act. The court noted that this requirement would effectively gut the FTC’s enforcement powers and that courts have never required agencies to abide by such stringent requirements. The FTC Act clearly prohibits unfair acts, and it attempts to define what is “unfair,” even if that definition is somewhat vague. This court determined that the FTC is not required to do anything further.
Third, the court rejected defendant’s argument that the FTC failed to plead that the defendant had violated the FTC Act with sufficient particularity. After discussing the proper standard to apply when analyzing the case, the court credited the FTC’s allegations, which included that Wyndham had failed to:
With the motion to dismiss denied in full, the defendant is now seeking to file an interlocutory appeal on the motion to dismiss. The defendant’s motion to certify the order for interlocutory appeal is currently pending. In the interim, all companies should pay heed to the FTC’s more aggressive stance on enforcement of data-security measures.
The allegations against Wyndham, which have not yet been tested, were egregious. Employing firewalls, using complex user IDs and passwords, monitoring malware, restricting third-party access, and regularly downloading security updates are standard measures that every company should do. Although no company is data breach proof, our experience is that the FTC does not act as aggressively in the wake of a data breach where it recognizes the soundness of the company’s data cyber security measures. Wyndham serves as a reminder that companies should stay up-to-date with the latest security measures, lest they find themselves in a lengthy and expensive battle with the FTC.
But that was over a decade ago. During the past decade, the FTC pursued several companies with high-profile breaches (e.g., TJX, Heartland, Accretive Health). Then in June 2012, the FTC sued Wyndham Worldwide Corp. and several related entities. Few companies challenged the FTC’s authority as directly as Wyndham did, and the FTC took undeniably aggressive action against Wyndham. Perhaps frustrated by Wyndham’s prior data breaches and its alleged failure to remediate – and perhaps also frustrated by Congress’s inability to pass comprehensive legislation on this subject (see, e.g., the failure of the Cyber Intelligence Sharing and Protection Act, first introduced on November 30, 2011) – the FTC decided to sue Wyndham under the FTC Act’s general prohibition on unfair or deceptive acts or practices.
On April 7, 2014, the U.S. District Court for the District of New Jersey issued its order and opinion on a motion to dismiss by one of the Wyndham defendants. FTC v. Wyndham Worldwide Corp., No. 13-1887 (D.N.J. Apr. 7, 2014). The defendant’s motion to dismiss argued three issues: (1) that the FTC lacks authority to assert an unfairness claim in the context of data security; (2) that the FTC must formally promulgate specific regulations before bringing an unfairness claim; and (3) that the FTC failed to plead with sufficient particularity a violation of the FTC Act. After review, the court denied the motion to dismiss in every respect.
First, the court rejected the defendant’s argument that the FTC lacks authority to assert an unfairness claim. The court refused to carve out a data-security exception to the FTC’s authority and saw no reason why poor data-security measures could not be deemed to be unfair. The FTC Act defines “unfair” acts or practices as those that “cause[] or [are] likely to cause substantial injury to consumers which [are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). This broad statutory definition for “unfair” would seem to cover poor data-security measures, so long as those measures cause or are likely to cause substantial injury that is not reasonably avoidable and not outweighed by “countervailing benefits.”
Second, the court rejected the defendant’s argument that the FTC failed to provide fair notice that the defendant’s conduct was illegal. The court characterized defendant’s fair notice argument as requiring that the FTC formally promulgate specific rules before it could sue under the FTC Act. The court noted that this requirement would effectively gut the FTC’s enforcement powers and that courts have never required agencies to abide by such stringent requirements. The FTC Act clearly prohibits unfair acts, and it attempts to define what is “unfair,” even if that definition is somewhat vague. This court determined that the FTC is not required to do anything further.
Third, the court rejected defendant’s argument that the FTC failed to plead that the defendant had violated the FTC Act with sufficient particularity. After discussing the proper standard to apply when analyzing the case, the court credited the FTC’s allegations, which included that Wyndham had failed to:
- Employ firewalls permitting storage of payment card information in clear readable text;
- Ensure Wyndham’s franchisees implemented adequate information security policies and procedures prior to connecting their local computer networks to defendant’s computer network;
- Prevent connection of insecure or out-of-date servers to defendant’s networks;
- Prevent the use of commonly-known default user IDs and passwords for network servers;
- Employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess;
- Adequately inventory computers connected to defendant’s network to manage devices on its network;
- Monitor Wyndham’s computer network for malware used in a previous intrusion;
- and Restrict third-party access.
With the motion to dismiss denied in full, the defendant is now seeking to file an interlocutory appeal on the motion to dismiss. The defendant’s motion to certify the order for interlocutory appeal is currently pending. In the interim, all companies should pay heed to the FTC’s more aggressive stance on enforcement of data-security measures.
The allegations against Wyndham, which have not yet been tested, were egregious. Employing firewalls, using complex user IDs and passwords, monitoring malware, restricting third-party access, and regularly downloading security updates are standard measures that every company should do. Although no company is data breach proof, our experience is that the FTC does not act as aggressively in the wake of a data breach where it recognizes the soundness of the company’s data cyber security measures. Wyndham serves as a reminder that companies should stay up-to-date with the latest security measures, lest they find themselves in a lengthy and expensive battle with the FTC.
