By Kelsey Finch
IAPP Westin Fellow

Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission (FTC) activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation, a hotel group, was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems, which compromised thousands of consumers’ payment card and personal information. The company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security.

Section 5 Authority & Data Security

Section 5 of the FTC Act authorizes the agency to enforce two causes of action: unfairness and deception. While the FTC has also pled deception in Wyndham, it is the agency’s authority to bring a data security enforcement action on a pure unfairness grounds that has drawn the most fire. In a recent article, Dan Solove and Woodrow Hartzog note that historically, “the FTC has exercised its unfairness enforcement power judiciously when it comes to privacy and security,” with a stated understanding that “the unfairness doctrine is the result of an ‘evolutionary process’ which refines the standard over time through cases, rules and commission statements.”

With 50 data security cases under its belt since 2000, and almost half of those since 2010, however, the FTC has been strengthening its foray into unfairness to hold businesses accountable for specific data security inadequacies. A notable example of this is the Sears case, where the FTC decided that the retailer’s data practices were unfair despite having been disclosed in the legalese of a privacy statement. In Accusearch, a pretexting case upheld by the Tenth Circuit in 2009, the court held that “the FTC may proceed against unfair practices even if those practices violate some other statute that the FTC lacks authority to administer.” The question of whether the FTC has statutory authority under Section 5 to regulate data security was, accordingly, the first issue addressed in the Wyndham oral arguments.

Wyndham argued in this respect that the FTC’s substantive unfairness standards for data security exceeded the agency’s authority. First, Wyndham relied on the Supreme Court case of Brown & Williamson, a decision concerning the scope of another federal agency’s regulatory authority. In that case, the Supreme Court determined that the FDA lacked authority to regulate tobacco products because it had disclaimed such authority before; its organic statute did not clearly indicate it had such authority, while Congress had passed other legislation expressly targeting tobacco, and it seemed unlikely that Congress would “delegate a policy decision of such economic and political magnitude to an administrative agency.”

Wyndham argued that all three prongs of the Brown & Williamson test applied in this case. Specifically, it claimed that the FTC had previously disclaimed its unfairness authority over data security at least three times between 1998 and 2001, in testimony and in publications, indicating that the agency believed “while it had power under Section 5 to pursue deceptive practices, such as [a] website’s failure to abide by its stated privacy policy, it could not require companies to adopt privacy policies in the first place”; other statutes expressly address data security and grant the FTC data regulatory authority thereunder; e.g., COPPA, FCRA, GLBA, implying that Congress did not consider or intend the FTC to have such powers in the absence of express authorization, and the national debate over data security legislation remains so contentious that Congress could not have plausibly intended to delegate the decision to set such standards to the FTC “in so cryptic a fashion.” During the hearing, however, U.S. District Court Judge Salas questioned the applicability of Brown & Williamson, stating, “I really think it is distinguishable.”

Countering these arguments, the FTC claimed that Brown & Williamson was a unique case and did not apply in Wyndham; and that in any event, none of the three prongs of the Brown & Williamson test precluded FTC authority over data security. Specifically, the FTC contended, “the substantial harm question is key here.” It explained that the FTC Act provided the agency with a baseline authority to act in cases of unfairness where it can prove substantial harm to consumers. In those situations where consumer harm is difficult to establish, specific statutes have been enacted to specify actionable unfair practices. Thus, when the FTC asked Congress for additional authority over data security and when Congress passed specific data security laws, this was intended to help define injury in specific circumstances, not to concede a lack of authority generally. In Wyndham, the FTC contends, it is alleging substantial injury with regard to which it “always had the authority to act” under its unfairness power.

Consumer Harm

In its analysis of the case, PogoWasRight pointed out that “the FTC’s response reflected a broader definition of ‘harm’ than we generally see recognized by courts in data breach lawsuits.” Wyndham contested the sufficiency of the pleadings, contending that the FTC’s stated $10.6 million harm for fraud costs ignored that “federal law protects card users . . . in excess of $50. . . And they know in addition to this that every major card brand exempts the consumers from the $50.” In other words, Wyndham argued that the FTC authority is limited to enforcement in instances of consumer harm, and that given the $50 statutory cap on cardholders’ liability, which is regularly waived entirely by card issuers, it was not consumers but rather businesses that suffered fraud losses. Moreover, Wyndham maintained that the FTC failed to specify which of its security practices caused the alleged harm.

In response, the FTC claimed that consumer harm in this case included “unreimbursed fraud charges, the loss of access to funds as a result of frozen or depleted bank accounts, even if temporary, temporary loss of access to credit, and the cost of reasonable mitigation, and then we also allege injury in the form of time, trouble and aggravation dealing with unwinding this fraud, and with reestablishing recurring payments after the credit cards have to be changed for hundreds of thousands of consumers.” To maintain these more sweeping claims of harm, the FTC relied on FTC. v. Niovi, a 2010 Ninth Circuit case that “found that even if consumers were fully reimbursed or raised on their debit accounts as a result of unfair data security practices by the defendant in that case, even though they were reimbursed, the time, trouble and aggravation of being reimbursed constituted a harm under the FTC Act.”

Section 5 Requirements & Fair Notice

Wyndham expanded its Section 5 authority arguments to contest the insufficiency of the FTC’s data security guidelines, leading to a discussion of “whether the FTC is required to provide fair notice of what Section 5 requires.” Indeed, nearly a quarter of the oral arguments, which span 186 pages, revolved around the FTC’s data security expertise—or lack thereof—and the agency’s reliance on reasonableness standards rather than formal regulation or rulemaking.

The central arguments concerned whether the FTC’s informal guidance is generally sufficient for businesses like Wyndham to know just what security practices are required to avoid an “unfairness” enforcement action. However, Judge Salas repeatedly indicated that this discussion might be better resolved after the discovery stage, which will shed light on whether Wyndham had actual notice or knowledge.

Wyndham contended that because the FTC has not issued any formal regulations, there was effectively no fair notice of requisite data security requirements, and thus the dispute may appropriately be dealt with in a motion to dismiss. Wyndham maintained that the FTC’s “reasonableness” standard is ambiguous and does not provide businesses with any specific guidance to achieve a data security safe harbor in the way that other agencies, such as the Securities and Exchange Commission or Department of Homeland Security, have done by adopting specific standards and rules. Wyndham also began a discussion of whether the FTC had published even informal guidance on the data security practices that it alleged the hotel chain violated at the time of the breach; however, this inquiry did not progress further.

The FTC, in turn, argued that its informal guidance in this area has put businesses on notice of what is required to meet a “reasonableness” standard. The agency maintained that its guidance booklets, best practice publications, growing body of consent decrees and the presence of industry standards suffice to flesh out what “reasonable” conduct is in the data security realm. The FTC pointed to the broad utility of objective reasonableness standards elsewhere in the law, and the need for a flexible standard given both the dynamic nature of data security technologies and the range of affected players. The FTC also rejected the argument that “for every unfairness case that the FTC brings, there must first be a rule” by pointing to the agency’s large body of unfairness cases, including its competition cases determined on the totality of circumstances, without the predicate of a rule.

Wyndham addressed the growing body of FTC consent decrees, emphasizing that they are non-binding “FTC victories” not decided on the merits. The FTC, meanwhile, argued that “it is within an agency’s informed discretion to proceed by ad hoc litigation” rather than rulemaking, and that the consent decrees and complaints, while representing only one source of guidance, “provide parties with notice about the ... types of things that the FTC evaluates” in deciding the reasonableness of a company’s data security actions. In their recent article The FTC and the New Common Law of Privacy, Solove and Hartzog examined the emergence of such specific standards embodied in FTC settlements.

Finally, the parties debated on the applicability of two Third Circuit cases, Dravoand Beverly  Healthcare-Hillview, concerning the administrative review standard of “ascertainable certainty.” On the one hand, Wyndham claimed that in Dravo, “The Third Circuit said the agency must be able to state with ascertainably certainty what protections a company must employee in order to comply with the regulation.” On the other hand, the FTC pointed out that the Beverly court “states that ascertainable certainty is not the standard … the conditions are that if agency hasn’t reversed itself, and if the interpretation is publicly available, an ascertainable certainty is not the standard.” The parties disagreed over whether these cases applied at all in the present circumstances (Wyndham contended they did and in its favor; the FTC argued they did not, or if they did, they pointed in its favor); they also disagreed over whether or not an objective reasonableness standard would provide “ascertainable certainty” (Wyndham contended it did not; the FTC argued it did).

Repeatedly, Wyndham underlied it position in this case with the appeal that “Congress gave [the FTC] rule-making authority. So if they want to do something, they have to publish the rules.” PogoWasRightpointed out that “Wyndham should be careful what it wishes for.” If the FTC does begin publishing rules, which the agency has so far avoided in the data security field for concern that to create a rule that applies “to everyone equally, we might end up with a rule that is very onerous to small businesses;” there is no guarantee those rules would ease the compliance burden.

Other Claims

While the privacy world at large is more interested in the challenges to the FTC’s unfairness authority, the oral arguments also discussed the FTC’s deception claims, as well as the other Wyndham entities’ motions to dismiss and motion to stay discovery. The deception claim hinges on consumer expectations and the clarity of the relationship between the franchisees whose data breaches sparked the action and Wyndham as franchisor. In this case, Wyndham’s privacy policy stated that franchisees were individually responsible for maintaining their own data security systems.

Even though Wyndham will most likely progress beyond the motions to dismiss and onto the next stage of litigation, Judge Salas could not promise a resolution on these challenging issues anytime soon. In the meantime, she refused to stay the continued progress of the case and ordered the parties to proceed with pretrial discovery. In the meantime, the rest of the privacy world will wait with bated breath to see if the FTC’s unfairness authority and settlement schemes—and the compliance regimes and expectations built around them—will survive their first real challenge.

Read More By Kelsey Finch:
Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws
Location Tracking: Now Coming to a Government, Employer and Retailer Near You