Despite reaching settlements with more than 50 organizations on data security issues since the late 1990s, no organization seriously challenged the Federal Trade Commission’s (FTC’s) authority to bring such cases until FTC v. Wyndham Worldwide Corp. made headlines in 20121 The case brought rampant speculation from the privacy and data security community on the likely outcome and potential impact on a number of issues, ranging from the FTC’s enforcement authority to national and state data security laws. Recent rulings rejecting Wyndham’s motions to dismiss may not break new ground for the FTC, but the commission’s ability to overcome the first challenges to its data security enforcement authority are significant and continue the agency’s trajectory as the country’s leading data security enforcer.2
The FTC’s complaint alleged that Wyndham Worldwide Corporation (WWC) and three affiliated companies, Wyndham Hotel Group, LLC (WHG), Wyndham Hotels & Resorts, LLC (WHR), and Wyndham Hotel Management, Inc. (WHM) (collectively, Wyndham), made misrepresentations regarding, and failed to maintain, reasonable and appropriate data security practices3 The FTC claimed that the failures resulted in three data breaches that allegedly compromised payment card information for more than 619,000 consumer accounts and caused $10.6 million in fraud loss.
The Wyndham defendants filed two separate motions to dismiss the FTC’s complaint. The first motion only included WHR and made three main arguments: (1) that the FTC’s unfairness authority did not extend to data security; (2) that the FTC failed to provide fair notice by not promulgating data security requirements; and (3) that federal laws and card brand policies eliminated consumer injury from the breaches and any associated consumer losses. The second motion included the remaining entities, WWC, WHG, and WHM. That motion argued that the FTC’s complaint did not allege direct liability against WWC, WHG, and WHM, and that WWC, WHG, and WHM, as separate corporate entities, cannot be held derivatively liable for WHR’s alleged violations of Section 5.
Rulings on the Motions to Dismiss
In its ruling on the first motion to dismiss, the U.S. District Court for the District of New Jersey rejected all of Wyndham’s arguments. First, the court found that the FTC’s broad authority under Section 5 includes data security enforcement and rejected Wyndham’s argument for a data security exception to Section 5. Wyndham had argued that other regulations containing data security requirements preclude the FTC’s general data security authority.4 The court was not persuaded, however, and found that those regulations and data security requirements complemented, rather than precluded, the FTC’s data security authority. The court also found that three statements made by the FTC between 1998 and 2001 regarding its ability to bring data security cases did not limit the commission’s authority.
In addition, the court rejected Wyndham’s second argument that it did not receive fair notice of data security requirements because the FTC had not issued data security rules and regulations prior to bringing an enforcement action. The court noted that other courts have affirmed FTC unfairness actions without preexisting rules or regulations in many contexts by relying on notice provided by the FTC’s case-by-case enforcement approach. Thus, the court found that the FTC’s previous data security enforcement actions, public statements, and business guidance brochures provided sufficient notice. The court also explained that Wyndham’s fair notice argument was not limited to data security, and as such, accepting it would result in the FTC stopping all unfairness actions until proscribing specific requirements for each context, an outcome contradictory to the “flexibility necessarily inherent in Section 5 of the FTC Act.”5
Finally, the court rejected Wyndham’s third argument that consumers did not suffer substantial, unavoidable financial injury because federal laws and card brands effectively protect consumers from fraud loss caused by payment card data breaches. The court held that the FTC’s allegations of unreimbursed fraud charges, the loss of access to funds, the temporary loss of access to credit, the cost of reasonable mitigation, and the time, trouble, and aggravation of dealing with unwinding the alleged fraud were enough to overcome the motion to dismiss. The court also held that the FTC adequately pled that the alleged injuries were unavoidable and that Wyndham’s alleged security failures caused the injuries.
In its ruling on the second motion to dismiss, the court rejected both of Wyndham’s contentions. The court held that the FTC’s allegations of specific facts relating to common control of the companies and sharing of office space and employees were sufficient to support a claim for common-enterprise liability. In doing so, the court dismissed Wyndham’s argument that the FTC did not allege other factors that would support a common-enterprise finding, explaining that “no one factor is controlling” and courts routinely consider a variety of factors.6 The court also noted that the FTC specifically alleged that WWC and WHG had responsibility for and oversight over some of Hotels and Resorts’ business functions including information security during certain time periods.
The judge qualified the first ruling, noting that it “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”7 Further, the ruling does not mean that the U.S. Court of Appeals for the Third Circuit will sustain the FTC’s authority on appeal or that the FTC will prevail against Wyndham at trial. The judge granted Wyndham’s request to certify for interlocutory appeal of the order, so the Court of Appeals may provide additional clarification on the FTC’s authority in the near future.8 The second ruling is also limited, as a determination of common enterprise sufficient for liability for WWC, WHG, and WHM will depend on the evidence rather than the FTC’s allegations.
The rulings as they stand, however, are likely to make organizations more reluctant to challenge the FTC’s data security enforcement, continuing the settlement trend of the vast majority of the commission’s data security cases. The rulings may even increase the FTC’s recent heightened focus on data security, with five companies already settling allegations in the first quarter of 2014. The FTC also may take this opportunity to continue advancing its agenda to expand its enforcement powers. In recent testimony before the Senate Homeland Security and Governmental Affairs Committee and the Senate Commerce, Science, and Transportation Committee,9 FTC Chairwoman Edith Ramirez again called for authority under new federal data security and breach notification laws to seek civil penalties to help deter unlawful conduct, rulemaking authority under the Administrative Procedures Act, and jurisdiction over non-profit entities. Even without these advancements in enforcement power, the rulings provide organizations clear notice of the FTC’s authority to be a leader in data security enforcement.
1 Press Release, Federal Trade Commission, “FTC Files Complaint Against Wyndham Hotels for Failure to Protect Consumers’ Personal Information” (June 26, 2012), available at http://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-against-wyndham-hotels-failure-protect.
2 Opinion, FTC v. Wyndham Worldwide Corp., No 2:13-cv-01887-ES-JAD (April 7, 2014), available at http://epic.org/privacy/big-data/ftc-v-wyndham-opinion.pdf [hereinafter Opinion 1]; Opinion, FTC v. Wyndham Worldwide Corp., No 2:13-cv-01887-ES-JAD (June 23, 2014), available at http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?filename=0&article=1763&context=historical&type=additional [hereinafter Opinion 2].
3 Complaint, FTC v. Wyndham Worldwide Corp., No. 2:12-cv-01365-SPL (June 26, 2012), available at http://www.ftc.gov/sites/default/files/documents/cases/2012/06/120626wyndamhotelscmpt.pdf.
4 Wyndham identified the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as regulations establishing data security requirements. Opinion 1, supra note 2 at 8.
5 Id. at 25.
6 Opinion 2, supra note 2 at 12.
7 Opinion 2, supra note 2 at 12.
9 Prepared Statement of the Federal Trade Commission on Data Breach on the Rise: Protecting Personal Information From Harm before the Committee on Homeland Security and Governmental Affairs of the United States Senate (April 2, 2014) (statement of E. Ramirez, Chairwoman, Federal Trade Commission), available at http://www.ftc.gov/system/files/documents/public_statements/296011/140402datasecurity.pdf; Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches before the Committee on Commerce, Science, and Transportation of the United States Senate (March 26, 2014) (statement of E. Ramirez, Chairwoman, Federal Trade Commission), available at http://www.ftc.gov/system/files/documents/public_statements/293861/140326datasecurity.pdf.