Keywords: FTC, data-security standards, consumer information, hackers, security breach
In a recent decision, a federal judge concluded that the Federal Trade Commission (FTC) has the power to regulate data security and thus rejected a company's challenge to the FTC's authority. If the decision stands, the FTC is likely to continue its scrutiny of businesses' data-security practices.
In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham's corporate computer systems and stole credit card numbers. The FTC claimed that Wyndham's allegedly inadequate data security was an "unfair or deceptive act or practice" in violation of the FTC Act. The FTC brought an action in federal court in New Jersey.
As of the first quarter of 2014, the FTC had filed at least 50 such actions against companies that have had a data or security breach. Traditionally such actions had been brought under the Act's "deceptive" prong, but more recently the FTC has invoked the nebulous "unfairness" prong of the Act. Most of the enforcement actions have ended in settled consent decrees, but Wyndham (and Georgia-based LabMD, in separate proceedings) have challenged the FTC's authority to regulate data security.
In the New Jersey case, Wyndham filed a motion to dismiss, arguing that the FTC did not have clear statutory authority to enforce data security requirements. Among other things, Wyndham cited more specific data security laws and the ongoing national debate about the need for new legislation. Wyndham also argued that the FTC had not put companies on notice of potential violations by failing to enact data security rules or regulations. In April 2014, the court rejected Wyndham's argument by denying its motion to dismiss, stating that there is "binding and persuasive precedent" to uphold the FTC's authority. In the court's view, accepting Wyndham's argument that detailed data security rules are required before the FTC could enforce security requirements would "undermine 100 years of FTC precedent." The court declined to "carve out" a data security exception to FTC authority, instead holding that the FTC need not establish standards before bringing data breach lawsuits.
As the court in Wyndham was careful to emphasize, its ruling "does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked." Nonetheless, this decision almost certainly will lead to more security-related actions by the FTC. Companies should continue to monitor Wyndham, LabMD, and further enforcement efforts by the FTC.
Originally published 18 April 2014
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2014. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.