The Federal Trade Commission’s federal court data security enforcement case against hotel company Wyndham Worldwide Corp. may soon face dismissal, a result that could pose significant consequences for the U.S. government’s ability to pressure private companies to maintain proper data security practices, privacy scholars and attorneys told BNA.
The FTC initiated its enforcement action against Wyndham Worldwide Corp. and several of its subsidiaries in June 2012, alleging that their failure to remedy a vulnerable security system after a 2008 breach resulted in two more breaches in less than two years and millions of dollars in fraudulent charges (
The subsidiary defendants include Wyndham Hotel Group LLC, which franchises and manages approximately 7,000 hotels, and two subsidiaries of Wyndham Hotel Group, Wyndham Hotels and Resorts LLC (“Hotels and Resorts”) and Wyndham Hotel Management Inc.
Company Fights Back.
The defendants have called for the case’s dismissal, focusing especially on the FTC’s alleged lack of authority to regulate data security under the unfairness prong of Section 5 of the FTC Act (FTC v. Wyndham Worldwide Corp., D.N.J., No. 2:13-cv-01887-ES-SCM).
“[T]he FTC wants to turn a statute designed to protect consumers from unscrupulous businessmen … into a tool to punish businesses victimized by criminals,” Hotels and Resorts argued in its motion to dismiss. “This is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”
The commission responded: “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”
“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it.”
The FTC has become the leading privacy and data security federal regulator “by being aggressive and by having an open, untested statutory authority,” Randal C. Picker, James Parker Hall distinguished service professor of law at the University of Chicago Law School, told BNA Aug. 22.
“The FTC has settled many cases, but the courts have said almost nothing about how the FTC has interpreted its authority in these areas and that is why everyone is eager for the result in Wyndham,” Picker added. “A single district court decision shouldn’t be that important but for now, Wyndham promises to be like finding a case of bottled water in the middle of the desert.”
‘Shaky Legal Ground’?
“While I think the FTC’s case may be on shaky legal ground, it would be a disaster if we lost our most effective cybersecurity enforcer, especially with Congress seemingly so incapable of addressing the need for legal incentives for better security throughout the economy,” Fred H. Cate, distinguished professor and C. Ben Dutton professor of law at Indiana University Maurer School of Law, told BNA Aug. 20.
The case is on “shaky legal ground” due to the lack of consumer injury and the absence of court challenges to the FTC’s multiple privacy and data security enforcement actions, Cate added Aug. 21. The Wyndham case is right now the “most important case” in privacy and data security law, he said.
“[T]he Defendants make compelling arguments, but they will likely face an uphill battle,” Steven B. Roosa, partner at Holland & Knight LLP in New York City, told BNA Aug. 21. “The fact that the case involves unencrypted credit card information makes this a much more accessible set of facts for the Court than the facts in a matter such as—just to take an example—the recent HTC consent decree, which addressed arcane issues relating to cryptographic device security, app permissions,” and other technical matters.
In February, the FTC announced that it had settled claims that mobile device manufacturer HTC America Inc. failed to take reasonable steps to secure millions of mobile devices shipped to consumers, which resulted in security flaws (
“Although I believe the right outcome under the law is for Defendants’ motion to dismiss to be granted, I suspect that the greater likelihood in this particular case is that it will be denied,” Roosa said. “As for the scope of the FTC’s jurisdiction going forward,” he added, “[c]ompanies are unfortunately facing the prospect of an FTC which views its statutory authorization as including security practices.”
“Whether or not Wyndham is successful, its challenge to FTC unfairness authority and to essentially regulation by enforcement actions and consent orders rather than legislation or administrative rule making is very important,” Alan Friel, partner at Edwards Wildman Palmer LLP, in Los Angeles, told BNA Aug. 22. “It will serve to check the creeping expanse of authority of the current FTC in the area of consumer protection where there is no Congressional mandate and no process for vetting out what makes good public policy in the open light where all stakeholders have an opportunity to contribute their thoughts and opinions.”
First Motions to Dismiss Denied.
In an amended complaint, the FTC alleged that the three breaches led to “the compromise of more than 619,000 consumer payment card numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
The FTC claimed the defendants’ “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information” violated Section 5(a) of the FTC Act,
On March 25, the U.S. District Court for the District of Arizona transferred the action to New Jersey, where the defendants are based, and denied the defendants’ initial motions to dismiss. The defendants refiled their motions to dismiss in April in the U.S. District Court for the District of New Jersey.
Authority to Regulate Data Security?
The prohibition on “unfair” acts or practices in Section 5 does not provide the FTC with the authority to regulate the data security of private businesses, Hotels and Resorts argued in its motion to dismiss. Statutes such as the
Hotels and Resorts pointed to past statements made by the FTC that its authority to regulate data security is limited to deceptive practices. For example, in its 2000 privacy report, the commission said it did not have the authority to require companies to adopt “information practice policies.”
The FTC’s requests to Congress for legislation giving it broader authority evidence such a lack of power, Hotels and Resorts said. It also pointed to Congress’s consideration and rejection of cybersecurity requirements for the private sector, and “the intense political debate that has surrounded efforts to establish such standards.”
In its response, the FTC countered that Section 5 of the FTC Act grants it authority to regulate companies’ data security practices. It said deference to an agency interpretation is necessary where an issue involves public controversy.
“The subsequent enactment of sector-specific laws to enhance regulatory authority over data security in particular industries neither contradicts nor is inconsistent with Congress’s grant of broad authority to the FTC to prohibit deceptive and unfair practices that injure consumers,” the commission said.
More often than not, the FTC has affirmed, not disavowed, its authority over unfair data security practices, the commission said, pointing, for example, to 19 data security cases brought since 2000 alleging unfair practices. In addition, four of the data security bills mentioned by the defendants would actually preserve the FTC’s data security authority, the commission said.
In its reply, Hotels and Resorts said the court need not defer to the FTC’s interpretation of Section 5 because the agency “has not engaged in formal adjudication or rulemaking.”
Fair Notice of Standards?
Even if Section 5 provides the FTC with such authority, it failed to provide fair notice of what Section 5 requires concerning data security, Hotels and Resorts argued. The commission has not published any regulations or guidance to this end, Hotels and Resorts said.
The FTC responded that the defendants have fair notice of what Section 5 requires as to data security. The commission said it “has consistently stated that in the context of data security, reasonableness is the touchstone: unreasonable data security practices are unfair.” In addition to industry guidance pertaining to data security, the FTC’s public statements and consent orders addressing data security provide notice, the commission said.
“In the highly complex and technically sophisticated world of data security, a command to ‘act reasonably’ provides no guidance as to how businesses must manage their systems, program their software, configure their servers, or make any of the other decisions involved in protecting computer networks from hackers,” Hotel and Resorts said in its reply. It noted that the FTC’s consent orders “contain little more than highly abstract statements about the defendants’ data-security practices” and “cannot substitute for an agency statement carrying the force of law.”
Hotels and Resorts compared the FTC’s regulatory approach to that in President Obama’s February cybersecurity executive order (
The executive order directed the Department of Commerce’s National Institute of Standards and Technology to lead the creation of a cybersecurity framework with voluntary standards for the nation’s critical infrastructure. A draft framework is due in October and a final version must be produced by February 2014.
The commission responded that Obama’s executive order does not directly address its authority and focuses on threats to national security, not consumer interests.
“The FTC should not be permitted to circumvent the full legislative process by establishing rules and principles through private enforcement actions, resulting in a string of consent orders that the FTC publishes and which it holds out to other businesses as if they were established law,” the Chamber of Commerce of the United States of America, Retail Litigation Center, American Hotel & Lodging Association, and National Federation of Independent Business argued in a friend of the court brief filed in support of the defendants.
The responsibility to demand that the FTC develop data security law through rulemakings and guidance falls to the courts, TechFreedom, the International Center for Law & Economics, and privacy scholars contended in a friend of the court brief filed in support of the Hotels and Resorts motion to dismiss. “[W]ithout Article III court decisions developing binding legal principles and no other meaningful form of guidance from the FTC, the law will remain unconstitutionally vague,” they said.
“Technically, there should not be a common law built on FTC consent orders, in the same way judicial precedent builds the common law,” Friel told BNA. “That is not the way [the] executive branch and administrative law are supposed to operate. But, it is the practical reality.”
Unfairness Authority Controversial.
The scope of the FTC’s unfairness authority under Section 5 of the FTC Act is a “long controversial issue in FTC jurisprudence,” Friel explained. “Many feel that this is not a clear standard sufficient to give companies notice of what they can and cannot do and allows the FTC to essentially create law without authority or direction of Congress and outside of the rule making process, which requires notice and public comment.”
“The Defendants are correct that the statutory authority of the FTC does not encompass technical security standards, but rather commercial dealings with consumers in the ordinary sense,” Roosa told BNA. “The grey area is when a business makes representations regarding the quality of security practices to consumers or when security practices are so lacking that it is ‘unfair’ to the consumer.”
“Conventional wisdom” suggests that the court’s decision will be “black or white,” such as a “blow” that would limit the FTC’s ability to bring enforcement actions under the Section 5 unfairness prong, Jules Polonetsky, executive director and co-chairman of the Future of Privacy Forum, told BNA Aug. 22.
But the court’s ruling could be a shade of gray instead, Polonetsky said. The court could find that the FTC in general has authority under the unfairness prong but that there is “no clear reasonable standard” in the area of data security, he said. Such a ruling could pause these sorts of enforcement actions until the FTC, Congress, and others established clear lines around the meaning of reasonable data security, he explained.
“As the briefing in the case makes clear, trying to distill which practices are, and are not, standard security practices is a dodgy enterprise,” Roosa said. “Also, for security practices, many times they are not the subject of explicit representations by the company. Over time, as the FTC goes further down the rabbit hole on security issues, expect to see greater reliance on ‘unfair’ practices as the predicate for jurisdiction.”
Lack of Injury?
In order for the FTC to find an unfair act or practice unlawful, it must “cause[ ] or [be] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition,”
“But, because of the special nature of payment card data, consumer injury from the theft of such data is never substantial and always avoidable,” Hotels and Resorts said. Under federal law, there is a $50 limit on consumer liability for fraudulent payment card charges and major card brands have policies that waive that liability, it explained.
Hotels and Resorts pointed to the U.S. Court of Appeals for the Third Circuit’s decision in Reilly v. Ceridian Corp.,
The FTC dismissed the defendants’ argument that payment card fraud is not an injury that satisfies the FTC Act as “an attempt … to mischaracterize questions of fact as questions of law.” Those questions of fact must be left for trial, it said.
The commission said several recent Article III standing cases — Reilly, Clapper v. Amnesty Int’l USA,
The FTC added that federal law does not provide the same liability protections for debit cards as it does for credit cards.
But under federal regulations, consumer liability for unauthorized debit card charges is eliminated provided that the consumer reports such charges within 60 days, Hotels and Resorts said in its reply. It added that courts have often rejected “incremental and attenuated injuries” in data security cases and it distinguished the Anderson decision on the grounds that it arose under Maine law.
The theft of consumer data is likely to cause significant harm to consumers, such as time and expenses disputing fraudulent charges or fixing credit reports, payment of such charges, damage to credit histories, and emotional distress, Public Citizen Inc. and Chris Jay Hoofnagle, lecturer in residence at the University of California, Berkeley School of Law, argued in an amicus brief filed in support of the FTC’s opposition.
Cate told BNA that the lack of an injury alleged in the complaint could imperil the FTC’s case. The FTC alleges that thousands of people were injured but it does not allege that any one of those consumers “paid any money out of pocket,” he said.
At the same time, Cate said if the court undercuts the FTC’s authority in this case, it will deliver a “huge blow” to the regulation of data security in the private sector. He called the prospect of the lack of legal oversight in this regard “extraordinarily dangerous.”
Deception Claim and Express Disclaimer.
Hotels and Resorts also called for the dismissal of the FTC’s deception claim, noting that the only data compromised during the attacks were those collected by “independent Wyndham-branded hotels,” not Hotels and Resorts. The company’s privacy policy does not make any representations as to the data security at such hotels and instead “expressly disclaims” data security representations, it contended.
In addition, the amended complaint does not meet federal pleading requirements, Hotels and Resorts argued, pointing, for example, to the complaint’s alleged failure to define standard industry data security practices.
The FTC responded that its complaint does not need to meet the higher pleading standards for fraud allegations in Federal Rule of Civil Procedure 9(b). Even so, the amended complaint still meets that higher pleading standard, the FTC argued, such as its allegation that Hotels and Resorts had “actual control” over its franchisee’s data security practices.
The commission called the disclaimer in the privacy policy ambiguous and said that evaluating the effectiveness of a disclaimer is a “fact-specific inquiry” that should not be considered at the motion to dismiss stage.
The International Franchise Association, in a friend of the court brief filed in support of the Hotels and Resorts motion to dismiss, contended that the FTC’s deception claim is inconsistent with the law of franchisors and franchisees. A franchisor can only be held liable for a franchisee’s action when it directly controls the conduct of the franchisee but the commission “does not plausibly allege that [Hotels and Resorts] actually controls its franchisees’ data entry or local data security,” the association said.
“In any event, there is no basis for holding a franchisor like [Hotels and Resorts] liable for deception where its privacy policy expressly disclaimed any responsibility for the data-security practices of its franchisees,” the association added.
Polonetsky told BNA that the court could focus on the franchise aspects of this case and find that Wyndham is not responsible because it had no direct control over the hotels or the owners of the hotels.
This case has driven many companies to update their security disclosures to either modify or eliminate their security promises, Polonetsky said. He added that the FTC usually has a “clear shot at deception,” but he noted that a deception ruling in the FTC’s favor is “heavily contingent” on the manner in which the defendants informed consumers about the security practices they have in place.
Friel described the FTC’s deception authority as “pretty clear cut.” In comparison to the commission’s unfairness authority, with a deception claim “companies are more hard pressed to argue they lacked notice of the rules of the road,” he said.
No ‘Common Enterprise’?
The remaining defendants argued that the amended complaint does not allege that they engaged in any unlawful conduct. Nor can they be held derivatively liable for the unlawful conduct of Hotels and Resorts, they claimed.
The FTC does not allege that Hotels and Resorts is trying to avoid Section 5 liability through another corporate form and it does not allege facts to establish “common enterprise” liability, the remaining defendants argued. They said the amended complaint “does not allege that defendants commingle corporate funds or assets, fail to observe corporate formalities, fail to adhere to corporate distinctions when dealing with third parties, or fail to maintain separate books and records.”
In its response, the FTC claimed the amended complaint sufficiently alleges direct liability as to each of the defendants. For example, the complaint alleges that each defendant at one point had a hand in overseeing the data security at the hotels, the commission said.
In addition, the defendants’ exercise of common control, shared office space, “maze of interrelated companies,” and pooled staff and resources demonstrate that they operated a common enterprise, the FTC said.
“If the Court were to enter an order against only Hotels and Resorts, Wyndham would be able to transfer responsibility for data security to another Wyndham entity—as it has done in the past … and, as a result, avoid prospective enforcement actions regarding deceptive or unfair acts or practices related to data security,” the FTC argued.
“[F]inding a ‘common enterprise’ based on the FTC’s allegations would mean that a common enterprise would exist in nearly every Section 5 case, unless the corporate defendant had no corporate affiliates at all,” the remaining defendants said in their reply. They added that legal responsibility should lie not with the entity that provides data security services, but with the entity that collects and uses consumer information.
Potential International Impact.
If the FTC’s authority to regulate unfair acts and practices is curtailed, it may become harder for the U.S. to convince other nations that its data protection regime is sufficient, especially in light of the recent revelations regarding the National Security Agency’s surveillance techniques, Justin Brookman, director for the Center for Democracy & Technology’s Project on Consumer Privacy, told BNA Aug. 21.
This case “points out a void the FTC is seeking to fill — the lack of a clear national standard for data privacy and security,” Friel told BNA. “Although the European approach to data protection is overly technical and too privacy-centric, it is at least a scheme that provides notice to industry as to how it must conduct itself with regard to consumer data.”
Consumer Protection Concerns.
Some consumer protection advocates claimed that FTC enforcement actions are key in the absence of other data breach legal remedies.
“Although the injuries resulting from a data breach can be significant, private tort suits alleging such injuries are nascent, and federal courts to date have not recognized a private remedy against companies whose networks are breached for consumers whose data is stolen but not yet misused,” Public Citizen and Hoofnagle argued in their friend of the court brief. FTC Section 5 actions are “the key means of protecting consumers.”
“Indeed, FTC enforcement actions such as the one at issue here have served as the only effective means of redressing the unfair corporate practices that lead to corporate data breaches that cause substantial injuries to consumers,” Public Citizen and Hoofnagle said.
“The outcome of this case is crucial to upholding two very important principles: that companies to whom consumers entrust their personal data are responsible for keeping it reasonably secure, and that the [FTC] has the authority to act under its consumer protection mandate if companies do not fulfill that responsibility,” Susan Grant, director of consumer protection for the Consumer Federation of America, told BNA Aug. 20.
“In this case, the FTC alleged not only that Wyndham failed to take specific, commonly-accepted measures to secure customers’ data but that it did not live up to the public assurances it made in that regard,” Grant added. “Wyndham’s arguments that the FTC’s expectations for reasonable security are too vague and that there is no harm in exposing credit card numbers and other personal information to identity thieves are unpersuasive and, from a public relations perspective, they certainly don’t help to restore consumer confidence in the company after the data breach.”
Lisa Weintraub Shifferle, Kristin Krause Cohen, Kevin H. Moriarty, Katherine E. McCarron, John A. Krebs, Andrea V. Arias, and Jonathan E. Zimmerman, of the FTC in Washington, represented the commission. Jennifer A. Hradil and Justin T. Quinn, of Gibbons PC, in Newark, N.J.; Eugene F. Assaf PC and K. Winn Allen, of Kirkland & Ellis LLP, in Washington; and Douglas H. Meal, of Ropes & Gray LLP, in Boston, represented the defendants.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.