Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre- Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry
The United States Court of Appeals for the Third Circuit’s much anticipated ruling in FTC v. Wyndham has now been released. The court affirmed the FTC’s authority under section 5 of the FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. The court also affirmed the district court’s finding that the Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. With this decision, the case will now move forward to the merits phase at the district court.
News headlines about data breaches are becoming more and more common. During the last year alone, major retailers, restaurants, and financial institutions have all reported data breaches. The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits.