In a much-anticipated decision, the U.S. District Court for the District of New Jersey upheld the FTC’s authority to regulate data security practices by denying Wyndham Worldwide Corporation’s motion to dismiss challenging the FTC’s authority to pursue unfair and deceptive trade practices claims arising from a cyber breach. The complaint against Wyndham asserts that Wyndham’s data security policies constituted unfair and/or deceptive trade practices, prohibited by Section 5(a) of the FTC Act, codified here. This is only the second challenge to the FTC’s data security regulatory authority under Section 5 in federal court. In the first, FTC v. Accusearch, the 10th Circuit supported the FTC’s authority under Section 5 of the FTC Act.

Wyndham and its subsidiaries own and manage franchised Wyndham hotels throughout the United States. From 2008–2010, hackers, allegedly operating out of Russia, gained unauthorized access to Wyndham’s computer network and to the property management systems of individual hotels, on three separate occasions. According to the complaint, the hackers accessed over half a million unique payment card accounts, along with their associated names and security codes. These account numbers were exported to a domain registered in Russia. Fraudulent charges on the compromised card accounts totaled over $10 million. The FTC filed its complaint on June 26, 2012, alleging that Wyndham’s failure to enact reasonable data security policies constituted an unfair trade practice, and that its published online privacy policy was “deceptive.”

Wyndham challenged the FTC’s authority to regulate data practices under Section 5. First, Wyndham argued that the FTC lacked authority under the unfairness prong of Section 5(a) of the FTC Act to regulate data security practices. Wyndham argued that the existence of other data security regulations as well as the FTC’s past statements disclaiming any authority over data security practices precluded the FTC’s claims. Judge Salas disagreed, holding that “the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” Further, she noted that “even accepting that the FTC shifted its stance on data security, this cannot limit its authority without more.”

Next, Wyndham argued that “it would violate basic principles of fair notice and due process” to allow the FTC to regulate data security practices under the unfairness prong without promulgating rules explaining how it intended to do so. The court disagreed, observing there is no requirement for the “FTC to formally publish a regulation before bringing an enforcement action under Section 5’s unfairness prong.”

Finally, Judge Salas ruled that the consumer injuries alleged in the complaint were both substantial and not reasonably avoidable. Notwithstanding the federal limit of $50 for consumer liability for unauthorized use of payment cards, the court found that the allegation of misuse of the hacked payment card data sufficed for the purposes of surviving a motion to dismiss. Similarly, the court found Wyndham’s argument that consumers could potentially avoid injury by seeking remuneration from their card issuers required an analysis that was too fact-dependent to grant a motion to dismiss.

Concerning the FTC’s deception claim, Wyndham argued that the FTC’s complaint lacked merit because the Wyndham-branded hotels and the company, Wyndham Hotels and Resorts, LLC, are legally separate entities, and in any event, the company’s privacy policy expressly disclaimed any representations as to the data security practices of the Wyndham-branded hotels. Judge Salas rejected the argument that Wyndham and Wyndham-branded hotels are separate entities for the purpose of the complaint. She also ruled that Wyndham’s disclaimers did not effectively communicate its privacy policy to consumers.

This case essentially leaves undisturbed the FTC’s authority under Section 5 to regulate data practices and investigate data breaches. The FTC has investigated multiple data security matters, and FTC Commissioners have underscored the high priority the Commission places on vigorous enforcement to protect consumers from data security breaches. In past cases, FTC enforcement has resulted in consent orders that call for improvements in privacy protection, oversight of privacy policies, privacy audits and fines that have been as high as $35 million.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.