Getting hacked by Russian hackers three times in two years has turned out to be only half of the problem for Wyndham Worldwide Corporation. The Federal Trade Commission, in a broad interpretation of the authority granted to it by Congress, brought suit against the hotel franchiser on August 9, 2012. The FTC alleges that Wyndham deceived consumers because its website privacy notice contained misrepresentations regarding Wyndham’s privacy practices. The FTC also alleges that Wyndham engaged in “unfair business practices” because it did not have adequate security measures in place to protect customers from unnecessary and unjustifiable risk.
The FTC’s allegation that Wyndham engaged in “unfair business practices” has sparked controversy. While most practitioners do not contest that the FTC has authority to bring an enforcement action against a company for misleading or false statements regarding its security practices, a heated debate is ongoing over whether the FTC has the authority to regulate the way companies keep and protect personal data. In its motion to dismiss, Wyndham argued, among other things, that the FTC cannot regulate corporate security practices because it has not published rules governing cybersecurity standards that would provide adequate notice to companies of the standards to which they are being held.
The FTC maintains that unreasonably poor security practices constitute “unfair” acts or practices because it causes or is likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. Just what constitutes a “reasonable,” and thus “fair,” security system, however, has not been made clear by the FTC in any official rule or policy making process. The FTC alleges that Wyndham’s security measures fell short of “reasonable” because Wyndham failed to use complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network. In addition, the FTC alleges that Wyndham allowed improper software configurations, which resulted in the storage of sensitive payment card information in clear, readable text.
Judge Esther Salas of the United States District Court for the District of New Jersey held a hearing on Wyndham’s motion to dismiss on November 7, 2013. At the close of the hearing, Judge Salas stated that she hoped to issue an order “rather quickly.” When Judge Salas issues her order, it will be the first time a court has weighed in on whether the FTC has broad authority to regulate the consumer data security practices of all companies.
On December 13, 2013, Wyndham’s counsel filed a supplemental letter brief with the Court regarding comments made by FTC Commissioners during a December 3, 2013, hearing before the House Committee on Energy and Commerce regarding the FTC’s authority under Section 5 of the FTC Act that may bear on Wyndham’s motion to dismiss. Specifically, FTC Commissioner Joshua Wright commented, “[t]he fundamental problem with the commission Section 5 enforcement [in] the unfair methods context, is caused by a combination of the agency’s administrative process advantages and the vague nature of the Section 5 authority governing unfair methods of competition. This combination gives the FTC the ability, in some cases, to [e]licit a settlement, even when the conduct [in] question may benefit consumers.” The FTC responded to Wyndham’s supplemental authority by claiming that the hearing excerpts were taken out of context and that Commissioner Wright’s testimony dealt with the scope of the FTC’s competition authority and not the FTC’s ability to regulate consumer protection. The Court ordered the parties to submit a supplemental, joint letter-brief regarding the Committee Hearing to the Court by January 21, 2014.
Since 2002, the FTC has increasingly asserted its authority to bring injunction actions against businesses that fail to adequately protect consumer data, regardless of whether those companies engage in the activities that bring them under the explicit jurisdiction of the FTC through such statutes as the Gramm-Leach-Bliley Act. The FTC has primarily brought lawsuits against companies after they have been hacked or their security system has otherwise been breached. Indeed, 18 of the 21 formal complaints that the FTC has filed against companies in the past four years have all come after a serious incident of deliberate hacking or inadvertent breach of a company’s data system was made public. Of those 21 lawsuits, all but the pending Wyndham case has resulted in a consent decree with the FTC. Consent decrees often come not only with steep monetary penalties, but with regular monitoring by the FTC.
In the wake of recently announced data breaches in late 2013 and early 2014, including major retailers Target and Neiman Marcus, some members of Congress not only have called for an FTC investigation, but have suggested enhancing the FTC’s authority to penalize companies with insufficient security. Regardless of whether Congress and lobbyists push to enhance the FTC’s authority through legislation, the FTC will likely continue to investigate and bring enforcement actions following breach announcements.
Cybersecurity is an area of increased focus for the FTC and the FTC’s message is clear: reactive compliance with breach notification requirements is insufficient; companies are required to accurately describe their privacy practices to consumers and implement proactive security measures to protect consumer data. While the FTC has not provided clear guidance on how to proactively protect consumer data and legislation has been deadlocked in Congress for years, companies can take steps to minimize the risk that the FTC will deem their security practices inadequate.
Companies should review their website and mobile application privacy notices frequently to ensure that the notice fully and accurately describes the organization’s privacy practices. The FTC is increasingly concerned over any use of data that would “surprise” a consumer, focusing often on mobile application privacy practices. In addition, companies should implement comprehensive privacy and data security policies and assess their security measures to ensure that they are adequately protecting sensitive data. The FTC’s reasonableness standard is not concrete, but security measures should be commensurate with the volume and sensitivity of the data being processed and stored. Strong passwords, network segmentation, firewalls, and encryption of sensitive personal information are key steps to ensuring your security measures are “reasonable” in the FTC’s eyes.
 Response in Opposition to Defendant’s Motion to Dismiss, Civ. Act. No. 2:13-cv-01887-ES-JAD, Doc. No. 110, pp. 1-2 (May 20, 2013).
Phyllis B. Sumner is a Partner, Sarah E. Statz is a Senior Associate and Andrew M. Mutter is an Associate in King & Spalding's Business Practice Group in Atlanta, Georgia.