The Federal Trade Commission’s (FTC) resounding victory over Wyndham Worldwide Corporation in a U.S. District Court paves the way for increasing privacy and data security action by the agency, which over the past decade has asserted itself as the most forceful and well-respected privacy enforcement authority in the world.
In the end, Wyndham resorted to an argument raised by the tobacco industry in Supreme Court litigation against a market regulator. That’s telling, since tobacco, like data, is toxic, and those who fail to implement reasonable, industry-standard protections, including comprehensive privacy and data security programs, can expect to pay dearly in reputation and market valuation, litigation costs and long-term external audits. The court in Wyndham flatly denied the company’s argument that the FTC’s authority to regulate data security is in any way curtailed by the Supreme Court’s decision in FDA v. Brown & Williamson.
The Wyndham decision is a wakeup call to anyone who has doubted the emergence of an FTC privacy and data security jurisprudence, which Dan Solove and Woody Hartzog have called “a new common law of privacy.” The court agreed that Wyndham’s argument—that detailed data security rules are a prerequisite to FTC enforcement—“would undermine 100 years of FTC precedent.” Rejecting Wyndham’s claim that “agencies cannot rely on enforcement actions to make new rules,” the court held Wyndham’s “argument that consent orders do not carry the force of law, therefore, misses the mark.” In doing so, it cited with approval a 1976 decision of the Supreme Court, holding, in another context, that “the rulings, interpretations and opinions of the (regulator) under this act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” These strong words will resonate to provide impetus for future privacy enforcement by the agency.
This trajectory makes projects such as the Westin Research Center’s casebook of FTC privacy and data security enforcement actions particularly timely for professionals on the ground. Already, practitioners parse FTC decisions and consent orders immediately upon release to look for guidance and insights into industry best practices. Creating a mobile architecture that re-delegates permissions by bypassing the restrictions of an operating system? No one will do that again after the FTC’s settlement with HTC. Uploading contacts to simplify app functionality without asking for explicit consent? The Path settlement put an end to that.
This emerging jurisprudence is a testament to how much can be done with a succinctly phrased legislative mandate, the “unfair or deceptive acts or practices” standard in Section 5 of the FTC Act. Under this language, the FTC has developed a robust data protection body of law, comprising dozens of enforcement actions against the mightiest of companies, including the imposition of stiff fines and comprehensive long-term compliance programs on the likes of Google, Facebook, Choicepoint and Sears.
This track record overshadows the achievements of any other privacy enforcement authority in the world, including regulators that operate under laws spanning thousands of words. As the court pointed out, the FTC’s mandate to implement “reasonable” data security practices was not hollow. It was filled with substance accumulated through a long line of data security cases, enabling the FTC to accuse Wyndham of “failing to employ firewalls; permitting ‘storage of payment card information in clear readable text’; failing to make sure Wyndham-branded hotels ‘implemented adequate information security policies and procedures prior to connecting their local computer networks to (Wyndham’s) computer network’; permitting Wyndham-branded hotels ‘to connect insecure servers to (Wyndham’s) networks, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities’…” – and (much) more.
Legal experts will no doubt question Wyndham’s strategy in this case. Instead of focusing on the complex issue of privacy harm, which merits discussion and is far from settled, Wyndham’s lawyers chose to challenge the FTC’s authority to enforce in this space in light of the vagueness of its legislative mandate. Yet it is impolitic to argue that law is not detailed enough to be enforced, even as industry lobbies against prescriptive data protection legislation. Indeed, corporations should commend the court’s ruling. A decision to curb FTC activity could create a regulatory vacuum, which would surely be filled by a plethora of activity by state attorneys general, private and class-action litigants and state and federal legislators.
Wyndham fired blanks with some of its other legal arguments, too, such as relying on legalese in its privacy statement to disavow responsibility for its franchisees’ data practices or disclaiming the existence of clear data security guidelines while at the same time announcing compliance with “industry standard practices” in its privacy policies.
The court emphasized that it “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” While the commission will submit a report on its study of data brokers’ collection and use of consumer data as well as on the privacy and security implications of the Internet of Things, at the same time that is continuing its case-by-case enforcement actions, few observers think there is much reason for concern. The FTC, over decades of activity, has been extremely judicious in exercising its power and can be expected to carefully but surely continue to develop privacy and data security law.