Landmark Decision Confirms FTC Authority to Regulate Privacy and Data Security
In FTC v. Wyndham Worldwide Corp., No 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014)—a case closely watched by privacy and data security professionals across the United States—a federal district court held that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act") to regulate data security practices and to bring enforcement actions targeting those practices deemed insufficient. Notwithstanding any appeal in the case, the FTC's increasingly active role of late in regulating data security practices and the federal district court's decision in Wyndham means that businesses should assess and, where appropriate, implement security measures that meet industry standards. Businesses should also review existing privacy policies in order to ensure consistency with actual practices.
First, the court rejected Wyndham's claim that given the "recent data-security legislation and the FTC's public statements," it is clear that the FTC does not have the power to "assert an unfairness claim in the data-security context." The court explained that recent legislation is not clearly incompatible with the notion that the FTC has existing authority to regulate data security. Rather, the court explained that the new legislation supplements the FTC's existing authority.
Second, the court rejected Wyndham's claim that the "FTC must formally promulgate regulations before bringing an unfairness claim" so that businesses have fair notice of what they must do in order to avoid an unfairness complaint. In rejecting this assertion, the court noted that agencies can regulate through general rulemaking or individual adjudication, and that businesses can look to recent FTC consent agreements and public releases on data security for guidelines on appropriate security measures.
Finally, the court rejected Wyndham's claim that the FTC was without authority to assert a claim against Wyndham because the data breaches did not cause consumers "substantial injur[ies]" that were not "reasonably avoidable," which is required by the Act as a prerequisite to the FTC's enforcement authority. The court explained that whether consumers suffered financial injuries that were not reasonably avoidable was a factual inquiry that could not be resolved in a motion to dismiss. Although the court left open the possibility that the FTC's enforcement action ultimately may fail should discovery reveal that consumers did not actually suffer a substantial injury, the court effectively reaffirmed the FTC's asserted authority to regulate data security practices.
Given the increased scrutiny of privacy and data security practices that has arisen following recent, highly publicized data breaches suffered by large retailers, the court's decision may very well embolden the FTC to become even more active in regulating data security practices across numerous industries, many of which lack formal regulations or guidelines. Companies subject to FTC enforcement jurisdiction should therefore review their privacy and data security policies and implement industry-standard practices in order to mitigate potential FTC enforcement actions premised on deceptive or unfair practice claims.
Mauricio F. Paez
Richard J. Johnson
Katherine S. Ritchey
Gregory P. Silberman
Jones Day prepares summaries of significant antitrust enforcement, litigation, and policy events as a service to clients and interested readers, to provide timely insight on antitrust and competition law developments relevant to business, but not as legal advice on any specific matter. Please visit our Publication Request form to add your name to our distribution list.
 15 U.S.C. § 45(a) (2012).
 FTC v. Wyndham Worldwide Corp., Civ. A. No. 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014).
 15 U.S.C. § 45(a)(1) (2012).
 See Enforcing Privacy Promises, The Federal Trade Commission (Apr. 8, 2014), http://1.usa.gov/1kr1hwZ; see also Legal Resources, The Federal Trade Commission (Apr. 8, 2014), http://www.business.ftc.gov/legal-resources/29/35.
 See, e.g., Complaint, In the Matter of Twitter, Inc., FTC Case No. C-4316, at 5, available at
 See, e.g., Complaint, In the Matter of BJ's Wholesale Club, Inc., FTC Case No. C-4148, at 3, available at http://www.ftc.gov/sites/default/files/ documents/cases/2005/09/092305comp0423160.pdf.
 First Am. Compl. at 18-19, FTC v. Wyndham Worldwide Corp., No. CV 12-1365 (D. Ariz. Aug. 9, 2012).
 Id.; Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at *52-53.
 Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at *16.
 Id. at *16-25.
 Id. at 19.
 Id. at 30-31.
 Id. at 31, 40-41.
 15 U.S.C. § 45(n) (2012) ("The Commission shall have no authority . . . to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers. . . ."); see also Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at *45-46 (rejecting Wyndham's assertion that, as a matter of law, affected consumers did not suffer substantial injuries as a result of the data breaches).
 Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 at *46-55.