Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001). With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring to leave the agency “flexible” enough to deal with a changing security environment. While arguably defensible on statutory construction grounds, the Court’s decision adds to the enormous uncertainty among businesses regarding the vulnerability of their security practices to post hac agency action, an uncertainty that may require adoption of data security policies far more conservative than economic efficiency and balanced consumer protection might otherwise dictate. The Court did stress that it was only denying Wyndham’s motion to dismiss so as to leave a “liability determination [ ] for another day,” and also noted that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Assuming the case goes forward, Wyndham will certainly challenge whether the various consent orders and guidelines promulgated by the FTC were adequate to provide fair notice of the data security standard companies like Wyndham must meet. Wyndham will also be able to challenge whether its own measures were reasonable in light of any such standard, and to force the FTC to its proof as to whether Wydham’s practices caused substantial injury to consumers that was not reasonably avoidable by those consumers. Despite its posture, the Wyndham Worldwide decision is an important and long-anticipated one in rejecting many well-accepted arguments about the extent of the FTC’s jurisdiction and the requirement that the FTC provide reasonable notice of its rules. Indeed the Court rejected a contention that prior cases “require[] the FTC to formally publish a regulation before bringing an enforcement action under Section 5’s unfairness prong.” As such the decision has potentially wide-ranging ramifications so we intend to devote some attention to this case over the next few days. Today’s post will summarize the decision itself. Then, over the next several days, we will turn to a more detailed analysis of several key points, including a discussion of “fair notice” and what constitutes “reasonable” data security now. Summary of the District Court’s Decision Let’s start with some background. Section 5(a)(2) of the FTC Act empowers the FTC “to prevent persons, partnerships, or corporations” “from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” However, Section 5(n) limits the FTC’s authority to find practices “unfair” to those that cause or are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The unfair practice alleged in the FTC’s complaint was that “Defendants have failed to employ reasonable and appropriate measures to protect personal information against unauthorized access.” The complaint lists ten unreasonable practices by Wyndham, of which the Court highlighted the following that “aligned” with particular alleged data breaches: failure to employ proper password protection; failure to adequately inventory computers connected to Wyndham’s’ network; and failure to employ “readily available security measures” such as firewalls. In response, Wyndham first argued that the FTC’s power to regulate under the unfairness prong does not include establishment of data-security standards for private businesses. Wyndham pointed to the multitude of laws authorizing federal agencies to create minimum data-security standards in specific sectors, which it contended meant that the very broad language of Section 5 had been narrowed over time. More significantly, Wyndham argued that under FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), the recent express authorizations of authority to the FTC regulate data security in targeted markets—under The Children’s Online Privacy Protection Act (COPPA), The Fair Credit Reporting Act (FCRA) and The Gramm-Leach-Bliley Act (GLBA)—constituted “powerful evidence that the FTC lacks general authority under Section 5 to regulate data-security practices in cases (like this one) that fall outside the confines of those narrow delegations.” Wyndham also pointed to express disavowals by the FTC of its ability to regulate data security generally. In Brown v. Williamson, a case involving the Food & Drug Administration’s attempt to regulate tobacco products, the Supreme Court held that where an agency's construction of a statute that it administers is in dispute, a court must determine “whether Congress has directly spoken to the precise question at issue.” Otherwise, the courts must respect the agency’s interpretation. The Supreme Court then examined the underlying statute and subsequent tobacco-specific legislation to reach the “inescapable conclusion” that the FDA was precluded from regulating tobacco. The Court further found that the FDA had repeatedly disavowed jurisdiction over tobacco for many years, and that Congress’ subsequent legislation on the subject “ratified” that disavowal. The New Jersey District Court in the instant case rejected Wyndham’s arguments under Brown v. Williamson, refusing to “carve out” a data security exception to the FTC’s Section 5 powers. The Court found that unlike in Brown v. Williamson, there was no “inescapable conclusion” that the FTC was precluded from regulating data security outside the narrow confines of COPPA, FCRA and GLBA. Rather, the Court believed that those authorizations could be read consistently with the broader authority under the FTC Act, and as supplemental to that authority rather than contradictory. The Court then dismissed the express disavowals of jurisdiction made by the FTC, stating conclusory that it was “not convinced that these statements, made within a three-year period, equate to a resolute, unequivocal position under Brown & Williamson that the FTC has no authority to bring any unfairness claim involving data security.” The Court noted that the FTC appeared to have changed its position after that three-year period, but otherwise provided little basis for its reasoning. The District Court next turned to Wyndham’s argument that the FTC failed to provide “fair notice” as to the standard of conduct Wyndham was required to follow because it had not promulgated any rules or regulations on point; in short, Wyndham maintained that businesses should not be forced to “divine” the FTC’s belief as to what practices will constitute unfair conduct. Wyndham also argued that the appropriate test for determining whether the FTC had provided fair notice was whether the standard of conduct for businesses such as Wyndham had been stated with “ascertainable certainty,” and that the standard cannot be met by announcing rules “for the first time in an enforcement proceeding.” The District Court, however, found that where an agency is given the choice of engaging in rulemaking or proceeding by individual adjudication, that choice is typically left to the discretion of the agency. The very breadth of the FTC Act, the Court held, suggested that the agency needs flexibility to address complex and differing situations. Refusing to find whether the correct standard was “ascertainable certainty”, the Court held that there was no requirement that the FTC formally publish regulations before bringing an individual claim. In any event, the Court found, there was sufficient “notice” found in “the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure.” Wyndham’s final argument under the unfairness prong was that the FTC had not properly pled that Wyndham’s practices were unfair because the FTC could not show that the practices caused or were likely to cause substantial injury to consumers that was not reasonably avoidable by those consumers. The Court rejected Wyndham’s contentions on substantial injury and avoidance almost summarily, finding that the FTC Complaint specifically alleged over $10.6 million in fraud loss and other financial injury including unreimbursed fraudulent charges, that Wyndham’s argument that statutory caps on consumer liability eliminate the possibility of substantial injury was unavailing given the FTC’s contrary pleading, and that the question of whether consumers could “avoid” injury by seeking reimbursement for losses was too fact-specific for decision on a motion to dismiss. More interesting was the Court’s take on causation. The Court found that “[t]he FTC’s allegations also permit the Court to reasonably infer that Hotels and Resorts’ data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers. The FTC alleges ‘a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.’” Presumably many businesses may be surprised to learn that a federal court has now endorsed the FTC view that substandard (whatever that standard may be) security practices actually cause data theft. Finally, the FTC also avoided dismissal of its claim under the “deception” prong of Section 5. The Court found that defendant’s attempt to draw a distinction between the privacy policy promulgated by Wyndham Hotels & Resorts (the named defendant) and the security failures of its franchisees (Wyndham-branded hotels) was insufficient, at the pleading stage, to preclude a claim. It is unclear on the face of the decision to what it extent the fact that the Court found the deception claim valid may have influenced its decision on the unfairness prong. In our next post: Part II: Fair Notice or No Notice?