Wyndham Hotels and Resorts has agreed to settle the FTC’s charges that its corporate data security practices were deficient under the unfairness prong of Section 5 of the FTC Act. Assuming the district court approves the proposed stipulated consent order, this concludes the litigation between Wyndham and the FTC. Under the terms of the twenty-year consent order, Wyndham must develop a comprehensive data security program designed to reasonably protect cardholder data and conduct annual data security audits. In addition, for any data breach affecting more than 10,000 credit card numbers, Wyndham must obtain an assessment of the breach within 180 days and provide the assessment to the FTC within 10 days of receiving it. Importantly, today’s settlement does not affect the Third Circuit’s decision upholding the FTC’s jurisdiction over corporate data security practices, which stands as the only federal appellate decision on the scope of FTC authority over corporate data security under the unfairness prong.
The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act. The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers. The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard. Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong. An analysis of the highlights of the Third Circuit’s opinion is available after the jump.
On Friday, March 27, 2015, the Federal Trade Commission and Wyndham Worldwide Corp. filed supplemental briefing in the Third Circuit regarding whether the FTC had made an adjudicative decision that the FTC Act prohibits unreasonable cybersecurity practices and, if not, whether a federal court could hear a case charging a violation of the FTC Act if the FTC has not yet made such an adjudicative decision.
Recall that, in FTC v. Wyndham Worldwide Corp. et al., the FTC has alleged that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information. Unsurprisingly, the parties held diametrical opinions on the issue of whether the FTC had declared unreasonable cybersecurity practices unfair through the procedures of the FTC Act. The FTC began by arguing that it had done so through the issuance of an interlocutory decision in LabMD. Wyndham countered, noting that the interlocutory decision denying a motion to dismiss in LabMD was not final, and therefore could not amount to a formal declaration about the meaning of unfairness.
Next, the FTC argued that it had declared unreasonable cybersecurity practices through the issuance of more than 20 complaints charging as much. The FTC argued that “complaints are akin to policy statements or interpretive rulings,” which litigants and the courts may resort to for guidance, and that the FTC’s issuance of more than 20 complaints charging deficient data security practices are unfair was therefore sufficient to satisfy any requirement that the FTC have declared unreasonable cybersecurity practices unfair through procedures of the FTC Act. It is worth noting that, in making this argument, the FTC cited to a 2014 Third Circuit case which stated that courts and litigants may look to agency policy statements and interpretive rules for guidance. However, the same case also noted that such statements “do not have the force of law,” raising the question of whether they could be considered adjudicative decisions. Wyndham highlighted this point, arguing that because complaints and consent decrees do not adjudicate the legality of any action by a party thereto, they cannot constitute a declaration of law on any issue, including that unreasonable cybersecurity practices are unfair. “Try as it might,” Wyndham said, “the Commission cannot transform complaints and consent decrees into rules and adjudications.”
Finally, the FTC argued that it had declared unreasonable cybersecurity practices unfair through the giving of Congressional testimony stating that the FTC deemed inadequate data security to be a potentially unfair practice. This possibility was not addressed by Wyndham.
The above dispute aside, both parties agreed that the Third Circuit need not decide the issue of whether the case is a “proper case” within the meaning of Section 13(b) of the FTC Act and therefore appropriately before the federal court. Both parties noted that neither had raised the issue and that, in any event, resolution of the issue was not necessary to establish jurisdiction as the federal courts independently have jurisdiction of the case pursuant to 28 U.S.C. §§ 1331, 1337, and 1345. The parties also both noted that many courts have held that a “proper case” is any case that the Commission chooses to bring directly in court for violation of an FTC-enforced statue and that, were the Third Circuit to hold otherwise, it would create a circuit conflict.
Today, the U.S. Court of Appeals for the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. The court focused on several themes: First, whether Congress has entrusted the FTC to define new unfair practices, whether the FTC has declared that unreasonable cybersecurity practices are unfair, and whether the FTC is asking the Third Circuit to declare that unreasonable cybersecurity practices are unfair in the first instance; second, the existence and enforcement of cybersecurity standards; and finally, what is proper jurisdiction under FTC Act Section 13(b).
Eugene Assaf argued for Wyndham Worldwide Corp., and Joel Marcus argued for the FTC. The judges on the panel are Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica.
The Third Circuit panel that will hear arguments in FTC v. Wyndham Worldwide Corp. is comprised of Judges Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica. Of the three, Judge Ambro is the most recent addition to the bench, having been appointed by President Clinton in 1999 and confirmed in 2000. Both Judges Roth and Scirica were appointed by President Reagan and both have also assumed senior status on the court: Judge Roth in May 2006, and Judge Scirica July 2013.
Wyndham has received considerable attention because it raises the question of whether the “unfairness” prong of Section 5 of the FTC Act provides the Commission with the authority to bring actions involving data security. If the Third Circuit publishes its opinion in the case, the ruling would be binding in Delaware, New Jersey, and Pennsylvania.
On February 20, the Third Circuit sent a letter to counsel in FTC v. Wyndham Worldwide Corp., identifying at least one topic that will be addressed in the upcoming oral argument regarding the parties’ dispute over whether the FTC has the authority to regulate companies’ data security practices: whether unreasonable cybersecurity practices are “unfair.” The letter requested that counsel be prepared to address the issue by answering three questions. First, whether the FTC has declared that unreasonably security practices are “unfair” through procedures provided in the FTA Act. Second, if not, whether the FTC is requesting that the federal courts determine that unreasonable cybersecurity practices are “unfair” in the first instance. And finally, whether federal courts have the authority to determine that unreasonable cybersecurity practices are “unfair” in the first instance under a case brought under 15 U.S.C. § 53(b) (providing authority for the Commission to bring suit to enjoin a person or entity that the Commission has reason to believe is violating or is about to violate a provision of the FTC Act). The letter further indicated that the Third Circuit may also request additional briefing on these topics.
Recall that, in the District Court ruling that preceded the Third Circuit appeal, Judge Esther Salas said that the “untenable consequence” of Wyndham’s argument that the FTC provide notice as to which security practices are lawful, and which are “unfair” before bringing an enforcement action would force the FTC “to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.” But the Third Circuit’s request indicates that the Third Circuit is at least considering whether to weigh in on the meaning of unfairness—particularly, whether unreasonable cybersecurity practices are unfair—something that has the potential to offer greater clarity for privacy and data security industries.
The Third Circuit’s interest in the meaning of “unfair” was shared by then-FTC Commissioner J. Thomas Rosch in his dissent from the count charging Wyndham with engaging in “unfair” practices in the initial vote authorizing staff to file the complaint. In his dissent, Rosch voiced reservations about what he viewed as an expansion of the Commission’s understanding of unfairness from instances where there is tangible harm to consumers to those where there are intangible injuries, such as unreasonable cybersecurity practices.
Earlier this week, U.S. District Court Judge Esther Salas directed the Federal Trade Commission (“FTC”) and Wyndham Hotels and Resorts to seek mediation to resolve their landmark dispute over whether the FTC has the authority to regulate companies’ data-security practices. As we’ve previously reported, the FTC alleged that Wyndham violated Section 5 of the FTC Act’s prohibition against “unfair practices” by failing to provide “reasonable” security for the personal information of its customers. Although the FTC has settled complaints relying on this broad interpretation of its unfairness authority, this case was closely watched because it was the first time a court had the opportunity to weigh in on the scope of that authority in the privacy and data-security context.
Although not necessarily unprecedented, the mediation order has been cited by some as unusual because the case presents a legal question underpinning a major enforcement and policy priority for the FTC. To the extent, however, that parties traditionally are required to mediate in order to “conserve [judicial] resources,” as was stated in Judge Salas’s order, mediation may help narrow or further focus the dispute.
Following Judge Salas’s earlier denial of Wyndham’s motion to dismiss, in which she rejected each of Wyndham’s challenges to the FTC’s authority, the U.S. Court of Appeals for the Third Circuit agreed to consider the issue on interlocutory review. Therefore, while the order for mediation stays the proceedings in district court, the legal question at issue remains pending before the circuit court.
Last week, a federal judge in the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss the FTC’s complaint alleging Wyndham violated the FTC Act by failing to provide reasonable security for its customers’ personal information. This Covington E-Alert provides a detailed look at the parties’ arguments and the court’s holdings in order to assess what the decision means for businesses going forward.
Earlier today, in a long-awaited decision, Judge Salas of the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss a Federal Trade Commission (“FTC”) lawsuit alleging Wyndham violated Section 5 of the FTC Act by failing to provide “reasonable” security for the personal information of its customers. The case has been closely watched because Wyndham’s central argument is that the FTC’s authority under Section 5 to prohibit “unfair” practices does not allow the Commission to pursue companies for data security failures. Although the FTC has settled a number of complaints that have relied on this broad interpretation of its unfairness authority, this is the first time a court has had the opportunity to weigh in on the scope of that authority in the privacy and data security context. In a 42-page opinion, Judge Salas rejected each of Wyndham’s challenges to the FTC’s Section 5 authority and to the sufficiency of the complaint in this case.
Although today’s decision will rightly be hailed as a landmark, it is important to recognize that the case still is in the early stages, and that Wyndham will likely have several more opportunities to make its arguments—including to the Court of Appeals for the Third Circuit, which could see things differently than Judge Salas. But for today anyway, the FTC’s unfairness authority has survived unscathed.
Today, the Federal Trade Commission is defending its authority to enforce Section 5 of the FTC Act against Wyndham Hotels in connection with alleged lax data security procedures. Following several publicized data security breaches, the FTC investigated Wyndham and concluded that the hotel company failed to employ “reasonable and appropriate” data security practices, citing, for example, Wyndham’s alleged failure to employ certain security patches and to maintain sufficient information security policies. The FTC’s complaint against Wyndham alleges violations of both the “deception” and “unfairness” prongs of the FTC Act. According to the FTC:
- Wyndham engaged in “deceptive” practices by misrepresenting that it took “commercially reasonable efforts” to secure customers’ payment card data; and
- Wyndham engaged in “unfair” practices because its lax security measures failed to adequately protect this payment card data.
Rather than enter into a consent order with the FTC to resolve these allegations, Wyndham is fighting the FTC’s authority to take action against the hotel company. Today, a U.S. District Court in New Jersey will hear oral arguments relating to the motion to dismiss filed by Wyndham. Wyndham’s motion to dismiss points to the absence of a specific delegation of authority from Congress to the FTC giving it authority to regulate data security — authority that the FTC repeatedly sought but failed to secure from Congress.
Companies rarely litigate FTC enforcement actions, frequently resolving complaints through consent order. Therefore, this is a rare judicial challenge to the FTC’s authority to regulate privacy and data security. If the FTC were to lose the motion to dismiss, the FTC would have the right to appeal the decision to the Third Circuit Court of Appeals, but the loss would raise questions about the scope of the FTC’s authority as the chief U.S. regulator for privacy and data security. Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.