Third Circuit Affirms the FTC's Authority to Regulate and Enforce Data Security

In FTC v. Wyndham Worldwide Corp., No 14-3514, -- F.3d-- (3d Cir. Aug. 24, 2015), the Third Circuit issued an important decision affirming a United States District Court of New Jersey ruling that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act")[i] to regulate and enforce data security practices. The Third Circuit decision bolsters the FTC in its increasingly active role in regulating consumer data security.

Section 5 of the Act prohibits "unfair or deceptive acts or practices in or affecting commerce."[ii] Since 2005, the FTC has increasingly initiated enforcement actions against companies for their allegedly inadequate cybersecurity practices that expose consumer data to theft, by relying on the deceptive and/or unfair practice prongs under Section 5.[iii] The FTC has pursued companies for alleged failures "to employ reasonable and appropriate security measures to protect personal information and files,"[iv] and for alleged misrepresentations regarding consumer data security practices in privacy policies or advertisements.[v]

Following three data breaches Wyndham experienced from mid-2008 through 2009, the FTC filed a complaint in June 2012, alleging that the hotel chain's cybersecurity measures were inadequate and that their privacy policy misrepresented those measures in violation of both the deceptive and unfair prongs of the Act. In its complaint, the FTC alleged that Wyndham engaged in unfair cybersecurity practices that "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."[vi] More specifically, the FTC alleged that Wyndham allowed hotels to store payment card information in plain text, failed to implement firewalls and other cybersecurity tools, and failed to restrict or secure third-party access to customer data.[vii] According to the FTC, the alleged inadequacies resulted in the inappropriate disclosure of credit card numbers for more than 619,900 consumers and roughly $10.6 million in losses due to credit card fraud. The FTC argued that "taken together, [Wyndham] unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

In response to the FTC's complaint, Wyndham filed a motion to dismiss, challenging the FTC's authority under the Act to regulate and enforce consumer data security practices.

The District Court of New Jersey denied Wyndham's motion, finding that the FTC has authority under the Act to regulate and enforce data security practices affecting commerce. In so holding, the district court rejected Wyndham's claim that recent cybersecurity legislation made clear that the FTC had no existing authority to regulate data security (or Congress would not have enacted the legislation). The district court further found that businesses had fair notice regarding how to avoid liability under Section 5, noting that businesses could have looked to recent FTC consent agreements, public releases, and guidance on appropriate consumer data privacy and security practices.[viii]

The Third Circuit granted interlocutory appeal and affirmed the District Court ruling, holding that the FTC indeed had the requisite legal authority to regulate consumer data security under the Act. The Third Circuit rejected Wyndham's argument that the need for recent cybersecurity legislation illustrated that the FTC had no such existing authority.[ix]

Tellingly, the Third Circuit also rejected Wyndham's contention that the FTC failed to adequately notify companies through rules, regulations, or other guidelines defining the proper level of data security standards. In essence, Wyndham argued that before bringing an unfairness action under Section 5, the FTC had to publish rules and regulations. The Third Circuit held, however, that Wyndham had fair notice that its conduct could fall within Section 5, determining that Wyndham could reasonably foresee that a court could construe its data security practices as an unfair act or practice. The court pointed to the allegations in the complaint that Wyndham failed to use firewalls or take other data security measures, did not restrict third-party access, and was hacked more than once. The court also referenced the FTC's 2007 guidebook for businesses on protecting personal information and several FTC complaints and consent decrees regarding consumer data security and privacy, finding that the FTC's "expert views" could have helped Wyndham.[x]

Although the Third Circuit decision affirmed the FTC's regulatory authority over data security and consumer protection, the FTC's case against Wyndham is far from over. On remand, the FTC will have to prove its allegations and establish that the data breaches caused substantial injuries that consumers could not have reasonably avoided. Michael Valentino, a spokesman for the company, recently stated that "[o]nce the discovery process resumes, [Wyndham] believe[s] the facts will show the FTC's allegations are unfounded."[xi] Barring a settlement, the Wyndham case will continue to be closely watched as perhaps the first case of its kind to fully litigate the merits of the FTC's enforcement actions in this unsettled arena.

Regardless of the outcome of the case, the Third Circuit's decision may bolster the FTC's ongoing efforts to investigate and enforce consumer data security breaches as reflecting an underlying unfair business practice, and it may further embolden the FTC to become more active across a wide variety of industries. Following the decision, FTC Chairwoman Edith Ramirez issued a statement that "[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."[xii] Companies have a strong incentive to ensure that they maintain policies and practices that meet or exceed data privacy and security industry standards, and to be aware of the FTC's enforcement position as reflected in its allegations in the Wyndham case.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.

William F. Dolan
Chicago
+1.312.269.4362
wdolan@jonesday.com

Todd S. McClelland
Atlanta
+1.404.581.8326
tmcclelland@jonesday.com

Daniel J. McLoon
Los Angeles
+1.213.243.2580
djmcloon@jonesday.com

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Jeff Rabkin
San Francisco
+1.415.875.5850
jrabkin@jonesday.com

Jay Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com

Michael G. Morgan
Los Angeles
+1.213.243.2432
mgmorgan@jonesday.com

Amanda Pade and Jessica M. Sawyer, associates in the Los Angeles Office, assisted in the preparation of this Commentary.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.