In earlier updates, we’ve provided background and tracked the progress (and the unique circumstances) of FTC v. Wyndham Worldwide Corp., et al. On April 7, a highly anticipated opinion was issued by New Jersey District Court Judge Esther Salas in a case that will likely have broad implications in the realms of privacy and data security. Through a motion to dismiss, Wyndham argued that the FTC had no authority to assert a claim in the data security context, that the FTC must first formally promulgate data security regulations before bringing such a claim, and that the FTC’s pleadings of consumer harm were insufficient to support their claims. The Wyndham court sided with the FTC on all of these arguments, and dismissed Wyndham’s motion to dismiss.
In her April 7 opinion, Judge Salas turned first to Wyndham’s assertion that the FTC lacks the statutory authority to regulate data security practices for every American company. Wyndham pointed out that Congress has limited the FTC’s data security power to only certain, well-defined areas, citing the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA) as evidence of these boundaries. Judge Salas rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”
The court next addressed Wyndham’s argument that, even if the FTC is correct in its understanding of the statutes, they have not provided businesses fair notice required by the Due Process Clause. Wyndham pointed out that the “FTC has not published any rules, regulations, or guidelines explaining to businesses what data-security protections they must employ to comply with the FTC’s interpretation of Section 5 of the FTC Act.” This has been a growing concern among U.S. businesses, which face a daily struggle against data breaches and other related information security incidents, and are unsure of what “reasonable data security practices” might mean. Judge Salas held, however, that the FTC’s interpretations of the FTC Act “while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.”
Finally, with respect to Wyndham’s claim that the FTC failed to sufficiently plead harm to consumers, the court observed that the FTC’s claims were that “data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.”
As Judge Salas was quick to point out, the court did not render any decision with respect to liability in this opinion, which only addressed the motion to dismiss before it. The court also stated that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” (emphasis in original). But the fact remains that the FTC has prevailed here on a fundamental point. While it is difficult to tell at this point how this case will progress, the FTC can, at the very least, continue with its current data privacy regulation regime, and might take this decision as a cue to expand its role in this area. Companies would be well advised to take the time to review FTC reports, complaints, and consent decrees to ensure that they are steering clear of the specific data security practices the FTC has cited as flawed or insufficient.