In a significant opinion issued on April 8, District Judge Esther Salas held that the FTC has the authority to proceed in an enforcement action against Wyndham Worldwide Corporation and three of its subsidiaries, collectively a global hospitality company. The FTC filed a complaint against Wyndham in 2012 alleging that Wyndham’s “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information” violated both the deception and unfairness prongs of the FTC Act (15 USC § 45(a)).
While the FTC has been a key player in other types of privacy enforcement actions, this is the first it has brought against a company for its data security practices. Wyndham argued that the FTC did not provide “fair notice of conduct that is forbidden or required” since it did not formally issue any data security rules and regulations. The Court rejected this argument and found that the notion of “fair notice” does not require formal guidance, and “the proscriptions in Section 5 are necessarily flexible.” The Court noted that such flexibility is particularly important given the rapid rate of change in this digital era. The Court was persuaded that Wyndham had fair notice because of the FTC’s public complaints, consent agreements, statements, and business guidance brochure. Wyndham’s argument that the “reasonableness” standard the FTC is measuring Wyndham against was too vague also failed since the Court noted Wyndham’s references to reasonableness and industry best practices in their own Privacy Policy.
The Court’s ruling did not address the ultimate issue of whether Wyndham is liable for the allegedly improper data security practices, but is significant nonetheless because it is the first time a Court has blessed the FTC’s authority to even bring this type of enforcement action in the first place. The Court found that the FTC’s authority would complement the existing hodgepodge of privacy and data security laws (some limited to certain industries, some geographically limited, and many working through the legislature now).
While this opinion is only the first in what is bound to be a lengthy litigation in this matter, an important takeaway for companies is that they will be bound by their own policies — at a minimum. So if you say your practices are reasonable, make sure you are regularly testing and evaluating them and responding to any security incidents. And make sure to take note of any guidance – whether formal or informal – issued by the FTC about data security practices, as it appears the FTC is becoming an important player in the arena.
