Victory for FTC in Dispute Over Its Data Security Authority

The Federal Trade Commission (FTC) recently won a significant victory in federal court in its ongoing efforts to hold businesses accountable for their data security practices.

The United States District Court for the District of New Jersey rejected a challenge to the FTC’s authority over data security, allowing the FTC to continue with its action in court against the Wyndham Worldwide Corporation (Wyndham) for its data security failures.

Background on the Case

In June 2012, the FTC filed a complaint against Wyndham alleging that the company had violated Section 5(a) of the FTC Act — which prohibits unfair and deceptive practices — by failing to provide and maintain reasonable and appropriate security for its customers’ personal information. The FTC alleged that that these failures resulted in Wyndham suffering three security breaches between 2008 and 2010, compromising hundreds of thousands of customer payment card account numbers and causing over $10 million in fraud losses. For a prior alert containing additional facts of the case, click here.

In response to the FTC’s complaint, Wyndham filed a motion to dismiss, arguing (1) that the FTC does not have the authority to bring a Section 5 unfairness action for data security breaches; and (2) that the FTC must at least promulgate regulations before bringing such a claim.

What Did the Court Say?

The District Court dismissed both of Wyndham’s arguments. First, the Court held that the FTC does have statutory authority over data security under Section 5, noting that laws such as the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act complement this authority rather than preclude it. Second, the Court held that the FTC does not have to formally publish regulations before bringing enforcement actions for unfair practices. The Court stated that, while the FTC must provide fair notice of conduct forbidden or required, regulations are not the only means of providing this notice. Notice in this case was comprised of the FTC’s public complaints, consent agreements, public statements, and business guidance brochure, among other things.

Why Is This Significant?

This case highlights the fact that businesses must stay up to date on, and carefully consider, all FTC statements and guidance on data security in order to ensure that their practices comply with the law. A failure to take appropriate steps with regard to customer data could result in an FTC enforcement action.

Arent Fox will continue to monitor this case and the law as it relates to data breaches. 

Contacts

Continue Reading