A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the decision means that the Commission for now maintains its status as the lead commercial data security regulator in the United States.
Commenting that she “ha[d] wrestled with arguments in the parties’ initial briefing, oral argument, supplemental briefing, as well as in several amici submissions,” Judge Esther Salas of the U.S. District Court for the District of New Jersey concluded, among other rulings:
- There is no data security carve-out to the FTC’s Section 5 general unfairness authority. Judge Salas ruled that laws that expressly grant the FTC the ability to regulate data security – such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Children’s Online Privacy Protection Act – do not preclude its ability to regulate data security under its unfairness authority, but rather complement it. Moreover, the judge concluded that a few statements made by the FTC implying that the agency did not have the authority to regulate data security did not diminish its ability to bring data security claims under Section 5.
- The Commission’s allegations of “more than $10.6 million in fraud loss” resulting from the allegedly deficient data security practices constituted sufficient harm to plead a Section 5 unfairness claim. One requirement to sustain a Section 5 unfairness claim is that the unfair practice must “cause or [be] likely to cause substantial injury to consumers.” Judge Salas ruled that the FTC adequately pleaded this requirement by alleging that the “failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection and use,” which “caused and is likely to cause substantial consumer injury, including financial injury.” Combined with the complaint’s allegations of specific data security insufficiencies and fraud loss, Judge Salas ruled that the FTC met the pleading requirements. As an aside, and although not on point in this case, the judge commented in a footnote that she was “not convinced that non-monetary harm is, as a matter of law, unsustainable under Section 5 of the FTC Act.”
- Wyndham’s representations about its data security practices also were sufficient to support a Section 5 deception claim. The FTC cited a number of Wyndham’s generic statements about its data security practices to support its claim that the statements constituted a deceptive practice under Section 5. These included representations that “[w]e safeguard our Customers’ personally identifiable information by using industry standard practices” and make “commercially reasonable efforts” to collect personally identifiable information “consistent with all applicable laws and regulations.” Judge Salas ruled that these representations, accepting the FTC’s factual allegations as true and drawing reasonable inferences in favor of the Commission, were actionable as deceptive statements under Section 5.
Crucially, the judge only ruled on the ability of the FTC to bring general data security claims under Section 5 of the FTC Act; the ruling was not a finding that Wyndham’s actual data security practices violated the law, which for now will continue to be litigated. Absent an extraordinary interlocutory appeal being permitted, an appellate court will not have the opportunity to rule on Judge Salas’s view of FTC jurisdiction for some time, if at all.
In effect, this ruling gives a judicial stamp of approval to the FTC’s ongoing enforcement of commercial data security practices. In the almost two years since the Commission originally filed its complaint, it has settled twelve different data security investigations under Section 5. And unless this decision is overturned on appeal or another court rules to the contrary (or Congress acts to clarify authorities to regulate cybersecurity), security practices that the FTC deems as “unreasonable” or “inappropriate” in informal guidance or in complaints issued along with consent orders will continue to serve as a de facto legal standard for data security in the United States.