Federal Trade Commission Can Pursue Claims Against Company for Failure to Have Adequate Data Security, Court Rules

April 10, 2014

 

Issue:

In a decision that is likely to result in increased federal enforcement actions against companies that suffer data security breaches but are found not to have taken sufficient steps to protect the data, a federal court on April 7, 2014, upheld the authority of the Federal Trade Commission (“FTC”) to require “reasonable” data-security measures and to pursue a complaint against companies that fail to do so when there is resulting substantial harm to consumers from a breach. See FTC v. Wyndham Worldwide Corp., --- F. Supp. 2d ---, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The decision is notable as the first federal court opinion addressing a breached entity’s challenge to the FTC’s assertion of broad authority under Section 5 of the FTC Act, which generally prohibits “unfair” or “deceptive” business practices, to enforce data-security standards across most industrial sectors that collect, use, or maintain consumers’ personal information.

Background.  In the Wyndham case, the FTC brought an action against Wyndham Worldwide Corporation and subsidiaries for allegedly failing to provide reasonable data-security measures before and after discovery of unauthorized access to its customer database. 2014 WL 1349019, at *1. Wyndham allegedly failed to employ, for example, commonly-used measures to require more difficult passwords, to adequately inventory computers connected to its network, and to limit access to personal data using firewalls. Id. at *17-18. According to the FTC, as a result of these security failures, Wyndham’s databases were compromised at least three times between 2008 and 2010, potentially exposing over 619,000 consumer payment card accounts. Id. at *2-3.

The FTC requires what it deems reasonable security measures to protect consumer data, and it considers the failure to provide such reasonable security measures an “unfair” business practice in violation of Section 5. Broad questions at issue in this opinion include whether Section 5 authorizes the FTC to regulate a company’s data-security practices and whether the agency can enforce data-security standards without first promulgating regulations.

Ruling.  Wyndham presented three main arguments against the FTC’s enforcement action. The court rejected each.

First, Wyndham argued that the FTC has no authority to assert Section 5 “unfairness” claims in a data security breach context, given the existence of recent statutes that establish minimum data-security standards in specific industries, such as the Fair Credit Reporting Act ("FCRA"), the Gramm-Leach-Bliley Act (“GLBA”) or the Children’s Online Privacy Protection Act (“COPPA”). Id. at *4-5. Wyndham argued that those industry-specific statutes would not make sense if the FTC already has the authority to enforce data-security standards in every industry under Section 5. Id. The court rejected this argument, finding that these statutes and “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority” to enforce data-security standards. Id. at *7. For example, the FCRA, GLBA and COPPA set forth different injury requirements than Section 5 of the FTC Act, and so, in the court’s view, grant the FTC “additional enforcement tools.” Id.

Second, Wyndham argued that the FTC had disclaimed general authority over data security and privacy standards in various public statements made over three years. Id. at *7-8. After reviewing the statements, the court found that Wyndham failed to establish a “lengthy, forceful history of repeated and consistent disavowals” by the FTC. Id. at *8 (distinguishing FDA v. Brown v. Williamson Tobacco Corp., 529 U.S. 120 (2000), a case relied upon by Wyndham in which the FDA disclaimed any authority to regulate tobacco products). The court noted the FTC brought unfairness claims in the data-security context shortly after its public statements were made and that subsequent FTC statements confirmed its assertion of authority in this arena. Id. In effect, the court rejected Wyndham's request that to carve out a data-security exception to the FTC’s authority. Id. at *9.

Third, Wyndham argued that the principles of “fair notice” require the FTC to promulgate regulations setting forth the appropriate level of data security before the agency can bring an action to enforce data-security standards. Id. at *10-11. The court rejected this argument as well. Noting that numerous “Circuit Courts of Appeal have affirmed FTC unfairness actions in a variety of contexts without preexisting rules or regulations specifically addressing the conduct-at-issue,” id. at *12, the court ruled that the FTC has sufficiently provided fair notice based on its many public complaints and consent decrees, its public statements, and its business guidance brochures. Id. at *14. The court explained that “the contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations.’” Id. at *14.[1]

The court also addressed several of Wyndham’s substantive arguments that the FTC had failed to state a claim. Wyndham argued the FTC failed to allege “substantial injury to consumers which is not reasonably avoidable by consumers themselves” (necessary elements of the unfairness claim) on the grounds that federal law limits consumer liability for unauthorized charges to just $50 and that any “incidental injuries” are insufficient. Id. at *15. The court rejected this contention, finding that the FTC alleged substantial consumer injury in the form of financial injury, including “unreimbursed financial injury” resulting from unauthorized charges. Id. at *16-17 (distinguishing Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), where the Third Circuit found no injury-in-fact because the plaintiff alleged no misuse of credit card information as the result of a breach). Drawing inferences in favor of the FTC, the court found also that the FTC adequately alleged causation based on allegations that Wyndham’s security practices “exposed consumers’ personal information to unauthorized access, collection, and use” and that this conduct “caused and is likely to cause” substantial consumer injury. Id. at *18. With respect to the FTC’s deception claim, which was based on Wyndham’s alleged misrepresentations in its privacy policy relating to its data security practices, the court declined to apply the heightened pleading standard of Rule 9(b) typically required for claims sounding in fraud to Section 5 claims. Id. at *21 (noting a split among district courts on Rule 9(b)’s applicability to Section 5 deception claims).

Why You Should Care:

The FTC previously brought about 50 similar data-security complaints against companies for failing to provide what it deems reasonable security measures to protect consumers’ personal information. But this is the first federal court ruling on whether the FTC has authority to bring such claims at all.

This ruling supports the FTC’s assertion of broad authority to enforce data-security standards, even in industries where data practices are not specifically regulated by statute. That issue likely will continue to be litigated in other matters, but the decision was a victory for the FTC. In the absence of any regulations, businesses must look instead to a number of disparate sources to determine what are “reasonable” security measures, including the FTC’s prior enforcement actions, consent decrees, public statements, and business guidance brochures, as well as industry best practices and potentially analogous laws. Businesses collecting, using, or maintaining consumer data should carefully evaluate their practices to ensure they do not become the FTC’s next target.

If You Want Further Information:

The case is FTC v. Wyndham Worldwide Corp., No. 13-cv-01887, filed in the U.S. District Court, District of New Jersey. The FTC’s webpage regarding this enforcement action is here.

If You Want Further Analysis:

Contact Richard Parker, (202) 383-5380 or rparker@omm.com; Randall W. Edwards, (415) 984-8716 or redwards@omm.com; Maryanne Kane, (202) 383-5237 or makane@omm.com; Katrina Robson, (202) 220-5052 or krobson@omm.com; Mimi Vu, (415) 984-8957 or mvu@omm.com.

[1] Wyndham appears consistent with FTC v. Accusearch, in which the Tenth Circuit affirmed summary judgment in favor of the FTC for violations of Section 5’s unfairness prong based on evidence the defendant sold consumers’ personal data, even where the FTC otherwise lacks authority to regulate the conduct under a separate statute or rule. See 570 F.3d 1187, 1194-95 (10th Cir. 2009) (cited in Wyndham, 2014 WL 1349019, at *12).

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall Edwards, an O'Melveny partner licensed to practice law in California, and Mimi Vu, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2014 O'Melveny & Myers LLP. All Rights Reserved.