FTC & State AG

FTC Has Power to Regulate Data Security; Wyndham Case to Proceed on the Merits

Published: Aug. 25, 2015

Updated: Oct. 05, 2020

Companies have yet another reason to pay attention to their privacy policies and ensure their data security systems are up to snuff. Marking another important win for the FTC in FTC v. Wyndham, the Court of Appeals for the Third Circuit has affirmed the FTC’s authority to bring enforcement actions against companies with unfair data security practices. You can read our earlier blogs following this case here. The three-judge appellate panel denied Wyndham’s motion to dismiss and affirmed the FTC’s legal authority to pursue its unfair and deceptive practices claims for Wyndham’s allegedly lax data security practices that resulted in three separate breaches of over half a million guests’ credit card information in 2008 and 2009. The FTC claimed that the breaches happened despite Wyndham promising to safeguard customer’s data “using industry-standard practices” in its privacy policy.

The court rejected all of Wyndham’s arguments, noting that Wyndham “offer[ed] no reasoning or authority for [the] principle” that its conduct could not meet the congressional definition of “unfair” under the FTC Act because the company itself was a victim. Nor did the court find persuasive Wyndham’s argument that the action improperly attempted to retroactively impose vague security requirements on the company. The court also thought that Wyndham’s suggestion that the FTC needs to have more specific data-protection guidelines missed the point. Rather, “the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.” Fair notice, the court said, “is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”

And the court took Wyndham to task for an “alarmist” argument that granting the FTC the power to bring enforcement actions against companies who had failed to implement reasonable security was akin to regulating the locks on hotel room doors. Such argument, the court said, “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

The court noted that reasonable data security practices should be evaluated using a cost-benefit analysis and Wyndham’s data security choices and experiences with hackers infiltrating its systems on three separate occasions should have put it on notice that it had not implemented reasonable security practices. Specifically, Wyndham failed to use any firewall at critical network points, restrict specific IP addresses, use any encryption for certain customer files, and require users to change their default or factory-setting passwords. Moreover, the court noted that the FTC’s 2007 Protecting Personal Information guidebook and data security consent decrees with other companies provided Wyndham with notice that its data security practices may not be reasonable.

FTC Chairwoman Edith Ramirez lauded the decision, saying that “[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Although Wyndham released a statement that it still “contend[s] the FTC lacks the authority to pursue this type of case,” the decision reaffirms the FTC’s power to bring complaints against companies who fail to use reasonable security practices for the foreseeable future. Companies should start by referring to the FTC’s “Start with Security,” a comprehensive guide to over 50 FTC data security settlements, to better understand and avoid those practices that lead to unfair and deceptive enforcement actions.