A decision from the U.S. District Court for the District of New Jersey last week affirmed the Federal Trade Commission’s assertion of authority to prosecute data security breaches under Section 5 of the Federal Trade Commission Act. The FTC has increasingly used its authority under Section 5, which makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices,” to regulate data security. Two companies, Wyndham Worldwide Corp. and LabMD Inc., have publicly challenged the FTC’s authority over their data security policies (and subsequent lapses). We posted in December about LabMD’s challenge, which remains pending before the FTC. The District of New Jersey, however, has rejected Wyndham’s challenge.
In June 2012, the FTC filed a complaint against Wyndham, alleging that Wyndham used unfair and deceptive practices by failing “to maintain reasonable and appropriate data security for consumers’ sensitive personal data,” which, in turn, exposed customers’ personal and credit card information to hackers in three system attacks between 2008 and 2011, resulting in fraudulent charges to consumers’ accounts totaling $10.6 million.
Wyndham moved to dismiss the complaint, arguing, among other things, that the FTC’s unfairness authority does not extend to data security because:
- Section 5’s text does not authorize such authority;
- Until recently, the FTC specifically disclaimed such authority; and
- Other specific statutory grants of authority to the FTC to regulate data-security standards in certain specific, limited contexts demonstrate the agency lacks authority in instances that fall outside of those specific delegations.
Alternatively, Wyndham argued, even if the FTC could regulate data security under Section 5, any such regulation would have to be established through rulemaking before the FTC could bring a selective enforcement action.
In a 42-page opinion issued April 8, 2014, District Judge Salas rejected what she characterized as Wyndham’s demands that the court “carve out a data-security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court.” The court went on to uphold the FTC’s complaint, stating that it “sufficiently pleaded an unfairness claim under the FTC Act…” The court rejected Wyndham’s argument that the FTC’s regulation of data security under Section 5 is incompatible with more recent legislation.
Essentially, Wyndham argued that because Congress has enacted several specific data-security laws through the last decade, the fact that it has not explicitly granted authority to the FTC impliedly strips the FTC of authority over the subject matter. Rejecting this argument, the court found that the subsequent data-security legislation simply “complement[s]” the FTC’s authority under Section 5 and does not act as an implied repeal of that authority. The court also rejected Wyndham’s contention that the FTC should proceed by rulemaking before initiating a selective enforcement action, finding that it is within the agency’s discretion to determine how it proceeds. The court made clear, however, that its decision was not a decision about Wyndham’s ultimate liability and “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
The District of New Jersey’s decision, though positive for the FTC, is not likely to dissuade future challenges on this issue, and an ultimate win for Wyndham on the merits of the case might tie the FTC’s hands in future enforcement actions. But as the number and level of public awareness of data breaches and security lapses continue to increase, additional federal regulation in this area seems imminent. Whether Congress will leave that regulation to the FTC remains to be seen.