One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham

By Daniel J. Solove

Posted on April 16, 2014


Share
The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and yesterday, it finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people's data with "good," "adequate," or "reasonable" security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn't outweighed by other benefits.

For more background about the FTC's privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC's power to regulate data security under the FTC Act.

The Court's Opinion and Some Thoughts

1. The FTC's Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that "subsequent data-security legislation seems to complement—not preclude—the FTC’s authority."

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

2. Fair Notice

Wyndham argued that the FTC failed to provide fair notice about what security practices the FTC deemed unfair under the FTC Act. But the court held that the FTC's interpretations of the FTC Act "while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance." (quoting Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141-42 (1976)).

My article with Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), addresses this point. We argue that FTC complaints and consent decrees have many features that are akin to common law, and they are treated quite akin to common law by privacy lawyers. Over time, when interpreting a broad law, the collected cases will start to resemble a more specific set of rules.

Hartzog and I reviewed all of the FTC's cases on data security and compiled a list of the specific data security practices that the FTC found fault with. This list is on pp. 651-655 of our article. Thus, we believe that sufficient guidance can be found in the FTC cases.

3. Consumer Harm

Wyndham also contended that the FTC failed to plead sufficient consumer harm. The court, however, concluded that the FTC's allegations were that "data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers."

Harm has long been a contentious and challenging issue in privacy and data security cases, but unlike other areas of law, the FTC can use a rather broad theory of harm.

Conclusion

This case has very important implications for data security as well as for privacy. The FTC has been developing case-by-case a substantial body of jurisprudence around data security and privacy, filling a critical void in U.S. privacy law.

Where do things go from here? The FTC can continue on its current trajectory. Perhaps it will be emboldened by this victory. More litigation in this case likely remains, so this decision will likely not be the final word. But for now, the FTC has won a big battle and has done so with a decisive victory.

Following the above piece, published April 8th, Professor Solove and Professor Woodrow Hartzog published this next blog on April 15th on Professor Solove's LinkedIn Commentary page.


5 Key Quotes from the FTC v. Wyndham Decision on Data Security
This post was co-authored by Professor Woodrow Hartzog.


The long-awaited federal district court opinion in FTC v. Wyndham was finally released last week. The U.S. District Court for the District of New Jersey rejected Wyndham’s arguments that the FTC lacks the authority to regulate unfair data security practices, that the FTC is required to issues rules before bringing an unfair data security complaint, and that the FTC failed to provide fair notice of what constitutes an unfair data security practice.

I blogged about the case here at LinkedIn last week.

Professor Woodrow Hartzog and I just published a more detailed analysis of the case in Bloomberg BNA Privacy and Security Law Report.

For more background about the FTC’s privacy and data security enforcement activity, see our article, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014).

Here are some key quotes from the FTC v. Wyndham decision:

1. “[T]he FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” (p.12)

2. “[T]he Court must consider the untenable consequence of accepting Hotels and Resorts’ proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.” (p. 25)

3. “Indeed, ‘the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.’ Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141-42 (1976) (emphasis added). . . .” (p. 24)

4. “Although the court is not convinced that non-monetary harm is, as a matter of law, unsustainable under Section 5 of the FTC Act, the Court need not reach this issue given the substantial analysis of the substantial harm element above.” (p. 28, footnote 15)

5. “[A]ccepting Hotels and Resorts’ position leads to the following incongruous result: Hotels and Resorts can explicitly represent to the public that it ‘safeguard[s] . . .personally identifiable information by using industry standard practices’ and makes ‘commercially reasonable efforts’ to make collection of data ‘consistent with all applicable laws and regulations’—but that, as a matter of law, the FTC cannot even file a complaint in federal court challenging such representations without first issuing regulations.” (p. 38)


Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is the author of 9 books (including Understanding Privacy and Nothing to Hide: The False Tradeoff Between Privacy and Security) and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.

Woodrow Hartzog is an Assistant Professor at Samford University’s Cumberland School of Law. He is also an Affiliate Scholar at the Center for Internet and Society at Stanford Law School and a contributor at Forbes. His research on privacy, media, robotics, and electronic agreements has appeared in numerous law reviews, peer-reviewed journals, and popular publications. Follow Professor Hartzog on Twitter @hartzog.

The views here are the personal views of Professor Solove and Professor Hartzog and are not those of any organization with which they are affiliated.


** **

The preceding posts are republished on TAP with permission by their author, Professor Daniel Solove. “One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham” was originally published April 8, 2014 on Professor Solove’s LinkedIn Commentary page and cross-posted on Concurring Opinion as FTC v. Wyndham. And 5 Key Quotes from the FTC v. Wyndham Decision on Data Security was originally published April 15, 2014 on Professor Solove’s LinkedIn Commentary page.


Share

About the Author

  • Daniel J. Solove
  • George Washington University
  • 2000 H St., NW
    Washington, DC 20052


Recent TAP Bloggers