S16_Header_300x250
beLikeStacey-01
IAPP_StudyGuideAD
In Standoff with FTC, Wyndham Shoots Itself in the Foot

The Federal Trade Commission’s (FTC) resounding victory over Wyndham Worldwide Corporation in a U.S. District Court paves the way for increasing privacy and data security action by the agency, which over the past decade has asserted itself as the most forceful and well-respected privacy enforcement authority in the world.

In the end, Wyndham resorted to an argument raised by the tobacco industry in Supreme Court litigation against a market regulator. That’s telling, since tobacco, like data, is toxic, and those who fail to implement reasonable, industry-standard protections, including comprehensive privacy and data security programs, can expect to pay dearly in reputation and market valuation, litigation costs and long-term external audits. The court in Wyndham flatly denied the company’s argument that the FTC’s authority to regulate data security is in any way curtailed by the Supreme Court’s decision in FDA v. Brown & Williamson.

In the end, Wyndham resorted to an argument raised by the tobacco industry in Supreme Court litigation against a market regulator. That’s telling, since tobacco, like data, is toxic, and those who fail to implement reasonable, industry-standard protections, including comprehensive privacy and data security programs, can expect to pay dearly in reputation and market valuation, litigation costs and long-term external audits.

The Wyndham decision is a wakeup call to anyone who has doubted the emergence of an FTC privacy and data security jurisprudence, which Dan Solove and Woody Hartzog have called “a new common law of privacy.” The court agreed that Wyndham’s argument—that detailed data security rules are a prerequisite to FTC enforcement—“would undermine 100 years of FTC precedent.” Rejecting Wyndham’s claim that “agencies cannot rely on enforcement actions to make new rules,” the court held Wyndham’s “argument that consent orders do not carry the force of law, therefore, misses the mark.” In doing so, it cited with approval a 1976 decision of the Supreme Court, holding, in another context, that “the rulings, interpretations and opinions of the (regulator) under this act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” These strong words will resonate to provide impetus for future privacy enforcement by the agency.

This trajectory makes projects such as the Westin Research Center’s casebook of FTC privacy and data security enforcement actions particularly timely for professionals on the ground. Already, practitioners parse FTC decisions and consent orders immediately upon release to look for guidance and insights into industry best practices. Creating a mobile architecture that re-delegates permissions by bypassing the restrictions of an operating system? No one will do that again after the FTC’s settlement with HTC. Uploading contacts to simplify app functionality without asking for explicit consent? The Path settlement put an end to that.

This emerging jurisprudence is a testament to how much can be done with a succinctly phrased legislative mandate, the “unfair or deceptive acts or practices” standard in Section 5 of the FTC Act. Under this language, the FTC has developed a robust data protection body of law.

This emerging jurisprudence is a testament to how much can be done with a succinctly phrased legislative mandate, the “unfair or deceptive acts or practices” standard in Section 5 of the FTC Act. Under this language, the FTC has developed a robust data protection body of law, comprising dozens of enforcement actions against the mightiest of companies, including the imposition of stiff fines and comprehensive long-term compliance programs on the likes of Google, Facebook, Choicepoint and Sears.

This track record overshadows the achievements of any other privacy enforcement authority in the world, including regulators that operate under laws spanning thousands of words. As the court pointed out, the FTC’s mandate to implement “reasonable” data security practices was not hollow. It was filled with substance accumulated through a long line of data security cases, enabling the FTC to accuse Wyndham of “failing to employ firewalls; permitting ‘storage of payment card information in clear readable text’; failing to make sure Wyndham-branded hotels ‘implemented adequate information security policies and procedures prior to connecting their local computer networks to (Wyndham’s) computer network’; permitting Wyndham-branded hotels ‘to connect insecure servers to (Wyndham’s) networks, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities’…” – and (much) more.

Legal experts will no doubt question Wyndham’s strategy in this case. Instead of focusing on the complex issue of privacy harm, which merits discussion and is far from settled, Wyndham’s lawyers chose to challenge the FTC’s authority to enforce in this space in light of the vagueness of its legislative mandate. Yet it is impolitic to argue that law is not detailed enough to be enforced, even as industry lobbies against prescriptive data protection legislation. Indeed, corporations should commend the court’s ruling. A decision to curb FTC activity could create a regulatory vacuum, which would surely be filled by a plethora of activity by state attorneys general, private and class-action litigants and state and federal legislators.

This track record overshadows the achievements of any other privacy enforcement authority in the world, including regulators that operate under laws spanning thousands of words.

Wyndham fired blanks with some of its other legal arguments, too, such as relying on legalese in its privacy statement to disavow responsibility for its franchisees’ data practices or disclaiming the existence of clear data security guidelines while at the same time announcing compliance with “industry standard practices” in its privacy policies.

The court emphasized that it “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” While the commission will submit a report on its study of data brokers’ collection and use of consumer data as well as on the privacy and security implications of the Internet of Things, at the same time that is continuing its case-by-case enforcement actions, few observers think there is much reason for concern. The FTC, over decades of activity, has been extremely judicious in exercising its power and can be expected to carefully but surely continue to develop privacy and data security law.

photo credit: Gunfight via photopin cc

Written By

Omer Tene

1 Comments

If you want to comment on this post, you need to login.

  • Steven Conrad (MediaPro) Apr 8, 2014

    The Wyndham and LabMD cases directly question whether the FTC is authorized to engage in enforcement activity related to data security that is independent of specific statutory authority.  The FTC is instead relying on its general consumer protection authority.  Both of these cases (also interesting is that the LabMD case involves PHI and HIPAA enforcement)  will have a significant impact on the regulation of data security by the FTC.  If the FTC wins these actions, it will take the next step in the process to expand its role as the primary regulator of data security and privacy.  The FTC seems to be trying to expand its reach to any company that maintains sensitive personal data; irrespective of industry.  Interesting times …

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»