Third Circuit Affirms the FTC's Authority to Regulate and Enforce Data Security
In FTC v. Wyndham Worldwide Corp., No 14-3514, -- F.3d-- (3d Cir. Aug. 24, 2015), the Third Circuit issued an important decision affirming a United States District Court of New Jersey ruling that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act")[i] to regulate and enforce data security practices. The Third Circuit decision bolsters the FTC in its increasingly active role in regulating consumer data security.
Section 5 of the Act prohibits "unfair or deceptive acts or practices in or affecting commerce."[ii] Since 2005, the FTC has increasingly initiated enforcement actions against companies for their allegedly inadequate cybersecurity practices that expose consumer data to theft, by relying on the deceptive and/or unfair practice prongs under Section 5.[iii] The FTC has pursued companies for alleged failures "to employ reasonable and appropriate security measures to protect personal information and files,"[iv] and for alleged misrepresentations regarding consumer data security practices in privacy policies or advertisements.[v]
In response to the FTC's complaint, Wyndham filed a motion to dismiss, challenging the FTC's authority under the Act to regulate and enforce consumer data security practices.
The District Court of New Jersey denied Wyndham's motion, finding that the FTC has authority under the Act to regulate and enforce data security practices affecting commerce. In so holding, the district court rejected Wyndham's claim that recent cybersecurity legislation made clear that the FTC had no existing authority to regulate data security (or Congress would not have enacted the legislation). The district court further found that businesses had fair notice regarding how to avoid liability under Section 5, noting that businesses could have looked to recent FTC consent agreements, public releases, and guidance on appropriate consumer data privacy and security practices.[viii]
The Third Circuit granted interlocutory appeal and affirmed the District Court ruling, holding that the FTC indeed had the requisite legal authority to regulate consumer data security under the Act. The Third Circuit rejected Wyndham's argument that the need for recent cybersecurity legislation illustrated that the FTC had no such existing authority.[ix]
Tellingly, the Third Circuit also rejected Wyndham's contention that the FTC failed to adequately notify companies through rules, regulations, or other guidelines defining the proper level of data security standards. In essence, Wyndham argued that before bringing an unfairness action under Section 5, the FTC had to publish rules and regulations. The Third Circuit held, however, that Wyndham had fair notice that its conduct could fall within Section 5, determining that Wyndham could reasonably foresee that a court could construe its data security practices as an unfair act or practice. The court pointed to the allegations in the complaint that Wyndham failed to use firewalls or take other data security measures, did not restrict third-party access, and was hacked more than once. The court also referenced the FTC's 2007 guidebook for businesses on protecting personal information and several FTC complaints and consent decrees regarding consumer data security and privacy, finding that the FTC's "expert views" could have helped Wyndham.[x]
Although the Third Circuit decision affirmed the FTC's regulatory authority over data security and consumer protection, the FTC's case against Wyndham is far from over. On remand, the FTC will have to prove its allegations and establish that the data breaches caused substantial injuries that consumers could not have reasonably avoided. Michael Valentino, a spokesman for the company, recently stated that "[o]nce the discovery process resumes, [Wyndham] believe[s] the facts will show the FTC's allegations are unfounded."[xi] Barring a settlement, the Wyndham case will continue to be closely watched as perhaps the first case of its kind to fully litigate the merits of the FTC's enforcement actions in this unsettled arena.
Regardless of the outcome of the case, the Third Circuit's decision may bolster the FTC's ongoing efforts to investigate and enforce consumer data security breaches as reflecting an underlying unfair business practice, and it may further embolden the FTC to become more active across a wide variety of industries. Following the decision, FTC Chairwoman Edith Ramirez issued a statement that "[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."[xii] Companies have a strong incentive to ensure that they maintain policies and practices that meet or exceed data privacy and security industry standards, and to be aware of the FTC's enforcement position as reflected in its allegations in the Wyndham case.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
William F. Dolan
Todd S. McClelland
Daniel J. McLoon
Mauricio F. Paez
Michael G. Morgan
Amanda Pade and Jessica M. Sawyer, associates in the Los Angeles Office, assisted in the preparation of this Commentary.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
[i] 15 U.S.C. § 45(a).
[ii] 15 U.S.C. § 45(a)(1).
[vi] First Am. Compl. at 18-19, FTC v. Wyndham Worldwide Corp., No. CV 12-1365, at ¶ 24. (D. Ariz. Aug. 9, 2012).
[viii] FTC v. Wyndham Worldwide Corp., Civ. A. No. 13-1887, 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014).
[ix] Id. at 21.
[x] Id. at 22-23.
[xi] Pearson, Sophia, "Wyndham Must Face Hacker Suit as Court Upholds FTC Power," Bloomberg (August 24, 2015).
[xii] See Statement from FTC Chairwoman Edith Ramirez on Appellate Ruling in the Wyndham Hotels and Resorts Matter.