Two recent decisions – one from the federal district court in New Jersey and one from a federal Administrative Law Judge – potentially will have significant impact on the Federal Trade Commission’s (FTC) enforcement of business’s data security obligations. (Read more about these cases here and here.)
FTC v. Wyndam Worldwide
In FTC v. Wyndham Worldwide Corporation, the New Jersey federal district court upheld the FTC’s authority to find that a business that has sustained a data breach has committed an “unfair trade practice” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a) when its privacy controls are found to be inadequate. Over the past several years, the FTC has regulated data privacy and security under Section 5(a) by bringing actions against businesses that have sustained data breaches on the ground that the business has committed a deceptive and/or an unfair trade practice. The deceptive trade practice claim typically alleges that the business has failed to live up to its promises to consumers about how it will secure the privacy of their data. More controversially, however, the FTC also has sought to regulate data security by bringing actions against businesses alleging that they had inadequate data security protections even in the absence of any consumer promises. Until Wyndham challenged the FTC authority, these “unfair trade practice” cases brought by the FTC have settled.
In its complaint, the FTC alleged that between April 2008 and January 2010, intruders gained unauthorized access — on three separate occasions — to Wyndham-branded hotels’ property management system servers and gained access to its guests’ personal information, including customers’ payment card account numbers, expiration dates, and security codes. Furthermore, the FTC alleged that after discovering the first two breaches, Wyndham failed to take appropriate steps in a reasonable time frame to prevent the further compromise of its network. According to the FTC, Wyndham’s data security defiencies caused:
[T]he three data breaches described above, the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit. Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm.
In response, Wyndham filed a motion to dismiss the Complaint on several grounds, all of which were rejected by the district court. First, the court held that the existence of specific industry data security statutes such as GLBA and HIPAA did not preclude the FTC from exercising its broad authority over other non-regulated industries. Second, the court held that although the FTC has not issued any specific regulations or other guidance expressly explaining what data security practices the Commission believes Section 5 to forbid or require, there is sufficient guidance available through other publicly available sources, including the body of available jurisprudence arising out of FTC enforcement actions. Finally, the Court rejected Wyndham’s position that the FTC’s complaint failed to sufficiently plead substantial, unavoidable consumer injury caused by the data breaches — a necessary element of proving an “unfair trade practice.” It will be interesting to see how this case proceeds from here and whether any other federal courts follow suit.
FTC v. LabMD, Inc.
In FTC v. LabMD, Inc., the FTC filed a complaint alleging that a variety of LabMD’s data security practices “taken together, failed to provide reasonable and appropriate for personal information on its computer networks, which caused, or is likely to cause, substantial injury to consumers.” In other words, the complaint alleges that LabMD committed an unfair trade practice in violation of Section 5. Among LabMD’s deficiencies, according to the Complaint, was its lack of any comprehensive information security program.
In response to the complaint, LabMD appears to have taken a different approach than did Wyndham. Making essentially the same argument as Wyndham’s second argument above, LabMD took the position that the FTC was seeking to hold it to nonexistent data security standards and sought to take the deposition of a FTC official for the purpose of identifying “all data-security standards that have been used by [the FTC’s Bureau of Consumer Protection (BCP)] to enforce the law under Section 5 of the Federal Trade Commission Act since 2005.” Not surprisingly, the FTC resisted the deposition, but the ALJ back in March established some ground rules to permit the deposition to go forward. When the deposition proceeded on April 14, 2014, FTC’s counsel objected and instructed the witness not to answer when the witness was asked whether the FTC or the BCP had published a standard establishing what it requires for a comprehensive information security program — of course, knowing full well that there is no such standard published by either agency. LabMD’s counsel then asked some additional similar questions, each of which were met with the same objection and instruction.
LabMD then filed a motion to compel arguing that it was entitled to know the data security standards against which it was being measured and which the FTC intends to rely upon at trial to show that LabMD’s data security was inadequate. The ALJ held that while LabMD may not seek in discovery of the legal standards that the FTC has relied upon in the past to enforce Section 5, the data security standards are factual matters well within the scope of reasonable discovery. Accordingly, the ALJ ordered the deposition to proceed.
It will be interesting to see how this case is decided when the ALJ finally reaches the merits. Though the LabMD decision may put a bit of a damper on the FTC’s enthusiasm for proceeding on an unfair practice theory, the Wyndham decision, announced toward the beginning of April, still raises substantial concerns regarding how the FTC will use this expanded enforcement authority now that it has been endorsed by a federal court.
Employer Implications: CVS/Caremark
Just like a business is obligated to protect and secure its customers’ data, a business has the same duty to protect and secure its own employees’ private data as well. As we all know, human resources records are filled with the same kinds of personal data that cyberthieves crave, such as social security numbers, dates of birth, and driver’s license numbers.
Unless the Wyndham decision is overturned or fails to gain favor in other federal courts, it is highly likely that the FTC will use this authority to aggressively pursue what it considers to be inadequate data security — and one potential target could be compromised human resources records. Though the Federal Trade Commission Act appears to be surprisingly silent on the FTC’s jurisdiction to remedy unfair or deceptive practices by employers against employees, the FTC in the past has brought at least one case in which employees were the “consumers” it was seeking to protect. In CVS/Caremark Corporation (CVS), an FTC investigation concluded that CVS had disposed of documents containing confidential customer and employee information in publicly accessible unsecured dumpsters used by CVS pharmacies in at least 15 cities throughout the United States. A proposed complaint was issued alleging that CVS had engaged in deceptive trade practices because CVS had a privacy notice that promised certain data security measures were in place, which presumably would have prevented the inappropriate disposal of these records.
In February 2009, the FTC and CVS entered into a consent decree requiring CVS, among many other things, to implement a comprehensive information security program. For our purposes here, however, the important thing to note is that in the consent decree, the word “consumer” is expressly defined to include an “employee,” and “an individual seeking to become an employee,” where “employee” shall mean an agent, servant, salesperson, associate, independent contractor, and other person directly or indirectly under the control of respondent. Therefore, it is clear that the FTC believes it has jurisdiction to seek enforcement of Section 5 against businesses in their roles as employers.
At its most basic level, the Wyndham decision merely adds an additional enforcement layer onto an employer’s existing data security obligations. Nevertheless, this additional enforcement mechanism gives employers even more incentive to ensure that their human resources records are secure. Employers should conduct risk assessments to ensure that they know where their employee personal information, both electronic and hard copy, resides and the means by which it is transmitted from creation/receipt through disposal. It is then important to adopt and implement technical, administrative (including employment policies) and physical safeguards to secure that information. Employers must then train their workforce on any policies that are adopted. Finally, employers must keep in mind that risk assessment and training must be ongoing processes.