In a recent decision, a federal judge concluded that the Federal Trade Commission (FTC) has the power to regulate data security and thus rejected a company’s challenge to the FTC’s authority. If the decision stands, the FTC is likely to continue its scrutiny of businesses’ data-security practices.
In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham’s corporate computer systems and stole credit card numbers. The FTC claimed that Wyndham’s allegedly inadequate data security was an “unfair or deceptive act or practice” in violation of the FTC Act. The FTC brought an action in federal court in New Jersey.
As of the first quarter of 2014, the FTC had filed at least 50 such actions against companies that have had a data or security breach. Traditionally such actions had been brought under the Act’s “deceptive” prong, but more recently the FTC has invoked the nebulous “unfairness” prong of the Act. Most of the enforcement actions have ended in settled consent decrees, but Wyndham (and Georgia-based LabMD, in separate proceedings) have challenged the FTC’s authority to regulate data security.
In the New Jersey case, Wyndham filed a motion to dismiss, arguing that the FTC did not have clear statutory authority to enforce data security requirements. Among other things, Wyndham cited more specific data security laws and the ongoing national debate about the need for new legislation. Wyndham also argued that the FTC had not put companies on notice of potential violations by failing to enact data security rules or regulations. In April 2014, the court rejected Wyndham’s argument by denying its motion to dismiss, stating that there is “binding and persuasive precedent” to uphold the FTC’s authority. In the court’s view, accepting Wyndham’s argument that detailed data security rules are required before the FTC could enforce security requirements would “undermine 100 years of FTC precedent.” The court declined to “carve out” a data security exception to FTC authority, instead holding that the FTC need not establish standards before bringing data breach lawsuits.
As the court in Wyndham was careful to emphasize, its ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Nonetheless, this decision almost certainly will lead to more security-related actions by the FTC. Companies should continue to monitor Wyndham, LabMD, and further enforcement efforts by the FTC.