What the FTC’s Win in Wyndham May Mean for Marketers3 Nov, 2015 By: Linda A. Goldstein, Holly Melton, Manatt Phelps & Phillips
On the heels of the Wyndham decision recently issued by the United States Court of Appeals for the Third Circuit in Philadelphia, companies should consider revisiting their data security policies.
In the long awaited and widely anticipated decision, the court unanimously affirmed the Federal Trade Commission’s (FTC) authority to bring enforcement actions challenging companies’ data security practices under the unfairness prong of Section 5 of the FTC Act, even in the absence of specific guidance by the FTC as to what constitutes acceptable data security standards. The case is likely to fuel increased enforcement actions on the part of the FTC against companies that experience a data breach or utilize data security practices the FTC deems otherwise deficient.
Chairwoman Edith Ramirez strongly hinted at such actions in her reaction to the decision, where she said, “Today, the Third Circuit Court of Appeals reaffirms the FTC’s authority to hold companies accountable for failing to safeguard customer data. It is not only appropriate but critical that the FTC has the ability to take such action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Between April 2008 and January 2010, Wyndham suffered three data breaches that exposed more than 600,000 consumers’ payment account information, allegedly resulting in more than $10.6 million in fraudulent charges to consumers’ financial accounts. After unsuccessful settlement negotiations, the FTC filed a complaint against Wyndham, alleging that its failure to maintain adequate data security policies constitutes an unfair practice.
Wyndham moved to dismiss the complaint, arguing: (1) the FTC lacks authority to regulate cyber security under the unfairness prong of Section 5; and (2) even if the FTC possesses such authority, Wyndham did not have fair notice that its data security practices fell short of the law because the FTC has not promulgated rules or regulations setting forth precisely what acceptable data security practices would be. The district court denied Wyndham’s motion to dismiss, and certified its decision on the unfairness claim for interlocutory appeal.
On appeal, the Third Circuit rejected all of Wyndham’s arguments, unanimously confirming the FTC’s authority under the “unfairness” doctrine to go after companies that do not take sufficient measures to protect consumers’ personal information and squashing the idea that companies can hide behind the lack of specific guidance to skirt the law. The court also noted that Wyndham’s own prior data breaches, and guidance provided by the FTC in other consent decrees and enforcement actions involving data security breaches, were sufficient to provide Wyndham with adequate notice that its data security measures were deficient. Finally, the Court rejected Wyndham’s argument that it was a “victim” of the breach as well.
While the FTC has not enacted specific rules or regulations setting forth what constitutes an adequate data security policy, certain guidance may be helpful. For example, in 2007, the FTC issued a guidebook titled Protecting Personal Information: A Guide for Business, which describes a checklist of practices that would likely form a sound data security plan. Businesses should also be aware of the January 2015 FTC Staff Report on the Internet of Things, which urges companies to adopt best practices to address consumer privacy and security risks. A January 2015 nuts-and-bolts publication titled Careful Connections: Building Security in the Internet of Things also provides advice to businesses developing the next generation of connected devices. These publications can all be found on the on the FTC’s website: www.ftc.gov.
In June, the FTC kicked off a business education initiative called “Start With Security.” As part of this initiative, the FTC issued another guidebook titled Start With Security: A Guide for Business (also located on its website) that identifies 10 security vulnerabilities, along with practical guidance on how to reduce the risks they pose to businesses based on the FTC’s more than 50 data security settlements. The initiative also involves a series of conferences held across the country during which data security issues will be discussed. The first was held in San Francisco in September, and the next is scheduled for this week – November 4 – in Austin, Texas.
The Wyndham decision undoubtedly solidified the FTC’s authority to regulate cyber security, and may embolden the FTC to ramp up its already active data security enforcement agenda. While Wyndham is pending in district court, the FTC is likely to continue its enforcement efforts, particularly where data breaches occur.
In this climate, companies must take the opportunity to review their cyber security policies to ensure that they contain reasonable and appropriate safeguards to protect against unauthorized misuse of sensitive consumer information. While having robust a data security policy may not completely prevent a data breach, it may be the difference between litigating with the FTC versus obtaining a closing letter after an investigation, which is what happened in August, following the FTC’s investigation into the Morgan Stanley Smith Barney data breach.
Linda A. Goldstein is chair and of the Advertising, Marketing and Media division of Manatt Phelps & Phillips LLP, based in the firm’s New York office. Holly Melton is counsel at the firm. Goldstein can be reached at firstname.lastname@example.org, while Melton can be reached at email@example.com.