FTC Gets Green Light to Sue Merchants over Data Breaches
By Henry R. Chalmers, Litigation News Associate Editor – May 16, 2014

A decision in a closely watched data breach case will likely embolden the Federal Trade Commission in its efforts to hold businesses accountable for allegedly failing to implement sufficient safeguards to protect customers’ personal information. In Federal Trade Commission v. Wyndham Worldwide Corporation, one of the defendants challenged the FTC’s authority to sue merchants for data breaches. The U.S. District Court for the District of New Jersey denied the motion, recognizing the Commission’s broad power to combat unfair and deceptive trade practices.

The FTC alleges that several Wyndham hotel entities failed to establish appropriate security for the personal information they collected and maintained regarding their guests. As a result, the FTC maintains, intruders were able to “hack” into Wyndham’s computer network on three separate occasions over a two-year period and steal guests’ payment card information. The pilfered data was then used to make more than $10 million in fraudulent purchases.

The FTC’s complaint asserts violations of Section 5 of the Federal Trade Commission Act, which prohibits “unfair and deceptive acts or practices.” Wyndham moved to dismiss the lawsuit on three separate grounds, each of which the district court rejected.

No Congressional Preemption
Wyndham first argued that the FTC’s unfairness authority does not extend to data security. According to Wyndham, Congress fully occupied the field to the FTC’s exclusion by passing more narrowly tailored data-security legislation. Wyndham also contended that the FTC had disclaimed authority to regulate data security under Section 5, much like the FDA’s disclaimers over tobacco regulation in FDA v. Brown & Williamson Tobacco Corporation.

The court rejected these arguments. It distinguished Brown & Williamson because Congress’s data-security legislation, in its view, “seems to compliment—not preclude—the FTC’s authority.” Echoing earlier decisions that recognize a broad grant of authority under Section 5 of the FTC Act, the court found that “the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.”

Fair Notice Argument Rejected
Wyndham next argued that it had been deprived of fair notice because the FTC failed to promulgate rules or regulations “explaining what data-security practices the Commission believes Section 5 to forbid or require” prior to bringing its unfairness claim.

In rejecting this argument, the court noted long-standing precedent allowing Section 5 unfairness actions without preexisting rules or regulations. Indeed, courts have held that administrative agencies often have the option of enforcing similar prohibitions through individual enforcement actions instead of broad rulemaking. “[T]he contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations.’”

Besides, the court reasoned, regulations are not necessarily the only means of providing fair notice. To illustrate the point, the court noted the FTC’s many public complaints, consent agreements, and public statements, as well as a general business guidance brochure, all of which addressed perceived “gaps” in data security. The court further observed that Wyndham itself claimed in its own online privacy policy to follow “industry standard practices” and employ “commercially reasonable efforts” to protect guests’ data.

The court found it would be simply “untenable” to require the FTC to impose particularized, proscribing regulations before bringing unfairness enforcement actions—“a result,” the court said, “that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”

“Allowing that sort of flexibility in the dynamic arena of data security and privacy protection may be necessary,” says Stephen J. Siegel, Chicago, IL, cochair of the ABA Section of Litigation’s Commercial & Business Litigation Committee. “That said,” Siegel cautions, “many have expressed unease with the Commission bypassing rule-making processes to effectively develop a ‘common law’ of data security rules primarily by using complaints and private settlements.”

Claims Sufficiently Plead
Wyndham’s final argument challenged the particularity with which the FTC pled its unfairness and deception claims. First, Wyndham argued that the existence of caps on consumer liability for fraudulent payment card charges prevents any individual consumer’s injury from rising to the level of “substantial,” as required by Section 5. For purposes of ruling on the motion to dismiss, however, the court deferred to the FTC’s allegation to the contrary. What is more, the court noted, prior decisions have found injuries to be “substantial” when a small harm had been inflicted on a sufficiently large number of people.

Even so, Section 5 liability will not exist if the injuries were reasonably avoidable by affected consumers. Wyndham asserted that its guests could easily avoid financial injury simply by having their banks rescind the fraudulent charges. The court demurred on this point, finding it better suited for resolution on the merits. “It is important to note that the court didn’t deny that actual injury must be shown,” says Scott F. Bertschi, Atlanta, GA, cochair of the Section’s Professional Liability Litigation Committee. “Presumably, the FTC will be required to show some specific evidence of a causal linkage at the summary judgment stage.”

Finally, the court found that the FTC sufficiently alleged that Wyndham’s online privacy policy could lead guests at all Wyndham properties to conclude adequate measures were being taken to protect their personal information.

Edward A. Marshall, Atlanta, GA , cochair of the Payment Systems Subcommittee of the Section’s Commercial & Business Litigation Committee, wonders whether FTC actions like this are “an unwarranted government ‘pile on.’” Marshall notes that, in addition to the reputational harm and data breach response costs that hacked companies incur, “many of these merchants may be subject to significant liability assessments by the card networks, such as Visa and MasterCard, if the data breach resulted from a lack of fidelity to PCI data security standards.”

Though clearly broad in scope, the court tempered its ruling with a warning that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” The check it has written thus far, though, appears fairly large indeed.

Wyndham has moved the district court to certify its order for interlocutory appeal.

Keywords: data breach, FTC, Federal Trade Commission, Federal Trade Commission Act Section 5

 
Related Resources

A Deal is a Deal!
Abuse Hotline Does Not Create a Duty to Victim