FTC Has Power to Regulate Data Security Practices, Court Rules
By Jenny Paul, Roberta Anderson and Marty Stern
In a closely watched case, a federal district court judge last week ruled that the Federal Trade Commission has the authority to bring enforcement actions against companies for data security breaches as an unfair practice under the FTC Act.
The FTC brought suit against Wyndham Worldwide Corporation and several of its subsidiaries in 2012, alleging that the companies’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information violated the FTC Act’s prohibition of unfair or deceptive acts or practices affecting commerce. One of the subsidiaries, Wyndham Hotels and Resorts LLC, moved to dismiss part of the action, arguing that the FTC did not have the authority to bring an “unfairness” claim that involved data security. The court disagreed, finding that specific data security legislation passed after the FTC Act merely complemented the FTC’s unfairness authority and did not preclude it.
Wyndham also argued the FTC was required to formally promulgate regulations to provide fair notice of what data security standards the FTC required. The court rejected that argument, finding that formal regulations are not the only means of providing fair notice. It noted that Section 5 of the FTC Act itself provides a three-part test for determining whether an act or practice is unfair, and that parties may look to the FTC’s complaints against entities, consent agreements, and public statements to determine the FTC’s standard for bringing an unfairness claim under the Act.