July 12, 2020

Volume X, Number 194

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

The FTC Has Authority to Regulate Privacy and Data Security - Federal Trade Commission

A recent United States District Court decision emphasizes the importance of business owners to assess and implement data security measures that comply with industry standards.  In recent years, the Federal Trade Commission (FTC) has become increasingly active in regulating data security practices, initiating over 50 enforcement actions to date.  In the first case to legally challenge the FTC's authority to regulate data security measures, the court’s ruling has potentially opened the door to more cyber-security compliance and legal risks for businesses.

On April 7, 2014, the United States District Court for the District of New Jersey held that the FTC could proceed with a lawsuit against Wyndham Worldwide based on its allegation that the hotel company’s security practices violated Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” that are “unfair” or “deceptive.”  Prompted by three data breaches suffered by Wyndham between 2008 and 2010, the FTC brought suit against Wyndham in 2012, alleging that it had violated the Act by misrepresenting in its online privacy policy that it “had implemented reasonable and appropriate measures to protect personal information against unauthorized access” when it had not.  In particular, the FTC alleged that Wyndham’s security included, among others, the following insufficiencies:

failing to use firewalls; permitting storage of payment card information in clear readable text; allowing its hotels to connect insecure servers to its computer network; permitting servers on its networks with commonly-known default user IDs and passwords; failing to use commonly-used methods to require user IDs and passwords that are difficult for hackers to guess; failing to monitor its computer network for malware used in a previous intrusion; and failing to restrict third-party access.

Moreover, the FTC claimed that after discovering these security breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  As a result, the FTC alleged that Wyndham had “exposed consumers’ personal information to unauthorized access, collection and use” that has or is likely to cause substantial consumer injury, including financial injury. 

In response, Wyndham moved to dismiss the FTC’s complaint on the grounds that the FTC lacked authority under the Act to regulate data security practices.  In denying Wyndham’s motion, however, the Court upheld, and perhaps inflated, the FTC’s authority to regulate such practices. Indeed, the Court’s opinion suggests very few, if any, constraints on the authority of the FTC to develop a common law of data protection requirements through case-by-case adjudication.  Specifically, in response to Wyndham’s allegation that the “FTC must formally promulgate regulations before bringing an unfairness claim” to provide a business with fair notice of the requirements for compliance, the Court noted that FTC unfairness actions have been upheld in a variety of contexts without preexisting rules or regulations specifically addressing the conduct at issue.  As a result, the Court held that the FTC can regulate through general rulemaking or individual adjudication.  Thus, a business must look to the rulings, interpretations and opinions of the FTC for guidance, and need not be afforded with particular notice of what constitutes “unfair” conduct.  

The Court also rejected Wyndham’s claim that the three data breaches at issue did not cause consumers any “substantial injury” because consumers could have their payment card issuer rescind any unauthorized charges. In doing so, the Court explained that whether consumers suffered financial injuries that were not reasonably avoidable is a factual inquiry that cannot be resolved in a motion to dismiss.  The Court, therefore, implied that if discovery does not reveal any evidence of substantial injury suffered by consumers, Wyndham may prevail against the FTC.  Nonetheless, the Court’s ruling on this point equates to an affirmation of the FTC’s authority to regulate data security practices.

Overall, this Court’s opinion suggests very few, if any, constraints on the authority of the FTC to enforce Section 5 of the FTC Act, and prosecute potential violations thereof.  Indeed, the opinion makes clear that the FTC: (1) need not promulgate specific regulations informing entities as to what activities constitute “unfair or deceptive acts or practices in or affecting commerce,” and (2) need not plead with much particularity the basis for its allegation that consumers have suffered “substantial injury” as a result of such conduct. 

As a result, businesses should take extra caution to avoid an FTC investigation and possible enforcement action.  Specifically, they should be aware of standards for data protection practices in their respective industries, and should carefully and regularly review their own consumer data protection and privacy practices to ensure that they meet such standards.  The recent opinion makes plain that taking these precautions is the cornerstone of complying with Section 5 of the FTC Act, and is critical to mitigate the risk of suffering the burden and expense of an FTC enforcement action.

© 2020 Neal, Gerber & Eisenberg LLP.National Law Review, Volume IV, Number 128


About this Author

Jessica Rissman Cohen, Associate, Neal Gerber law firm

Jessica Rissman Cohen is an intellectual property associate whose practice focuses on protecting and policing clients’ trademark, trade dress and copyright rights. Jessica counsels clients in all aspects of their branding, advertising and enforcement needs. She specializes in trademark counseling for clients in a wide variety of industries, including consumer home goods, food products, tobacco products, hospitality/restaurant services, online services. She works with domestic and international companies to register, maintain, protect and license trademarks, service marks, domain...

(312) 269-5272
Lee J. Eulgen, Partner, Neal Gerber law firm

Lee J. Eulgen has significant experience in intellectual property litigation, negotiation and counseling, including trademark, copyright, patent, right of publicity, trade secret, trade dress, domain name,  entertainment, unfair competition and privacy-related matters. In particular, Lee has first-chaired countless intellectual property disputes and he is a member of the International Trademark Association’s Enforcement Committee. Lee has also handled numerous brand and technology-driven transactions, including licensing and information technology transactions, as well as sponsorship and advertising agreements, mergers, acquisitions and asset transfers.

In addition, Lee is well-versed in strategic global trademark portfolio management, including worldwide trademark clearance, prosecution and enforcement matters. Lee also has particular expertise in complex intellectual property-driven licensing and procurement transactions, including myriad transactions in the hospitality and gaming industries and many transactions involving parties located in mainland China, the Hong Kong Special Administrative Region of the P.R.C. and Taiwan.