Federal Appeal Challenges Authority of FTC to Regulate A Private Company’s Security Practices Regarding Personally Identifiable Information
A pending appeal before the United States Third Circuit Court of Appeals, Federal Trade Commission v. Wyndham Worldwide Corp, et al. Case No.:14-3514 (3d Cir., 2014), challenges the authority of the Federal Trade Commission to pursue claims against businesses arising from electronic data security breaches.
Wyndham Hotels suffered three data security breaches between April 2008 and January 2010 when hackers compromised the company’s “property management system” and were able to gain access to protected personal and financial information, including credit card data, stored on the system. The breach led to the theft of more than 619,000 payment card account numbers and more than $10.6 million in fraud losses. As a result of the breach, the FTC sued Wyndham and alleged that Wyndham’s computer security protocols violated Section 5 of the 1914 Federal Trade Commission Act which prohibits “unfair” or “deceptive” trade practices. The FTC Act gives the FTC authority to prosecute acts or practices that are unfair or deceptive and cause damage to consumers. The FTC has taken the position that unsafe cyber security policies constitute a type of "unfair" or "deceptive" trade practice. In response, Wyndham moved to dismiss the FTC’s complaint and raised several arguments to support the defense that the FTC does not have authority to prosecute companies for electronic data breaches. The lower tribunal denied Wyndham’s Motion to Dismiss, but allowed Wyndham to seek immediate interlocutory review of the dismissal. Wyndham and the FTC have since filed briefs on the issues.
This is one of the only cases where a company has challenged the FTC’s authority to take action due to allegedly deficient security practices. This appeal will address two key questions that may shape the future of data breach enforcement.
·1) “Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a);” and
2) “Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).”
Wyndham’s case is predicated on the argument that the FTC cannot proceed under Section 5 of the Federal Trade Commission Act without first publishing specific technical guidance as to what are appropriate data security protocols and procedures. The FTC has taken the position that no specific regulatory guidance is required and that the FTC may seek sanctions against companies that do not take “reasonable” precautions as the failure to do so, is an unfair or deceptive trade practice that causes substantial injury to consumers. The due process implications are obvious – how is a repository of confidential information to know when its security systems are adequate to pass muster, in the absence of specified guidelines and criteria?
Oral argument of this matter is set to occur on March 3, 2015, with a decision to be issued thereafter. Notably, the Appellate Court has asked the parties to be prepared to discuss the following:
"(1) Has the Federal Trade Commission declared that unreasonable cybersecurity practices are "unfair," 15 U.S.C. § 45(a), through the procedures provided in the Federal Trade Commission Act, 15 U.S.C. §§ 41-58?
(2) Assuming it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are "unfair" in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)? "
Regardless of the outcome, it is clear that both state and federal regulators will be asking challenging questions regarding both the technical and policy measures taken to protect Personally Identifiable Information (“PII”) and other sensitive data. Given the current flexible, but non-specific “reasonableness” standard, documentation of the processes followed in evaluating the reasonableness of data security policies is critical to support the defense that the implemented security protocols were reasonable and appropriate under the circumstances.