Wyndham lawsuit tests FTC's data security enforcement authority
Federal judge in N.J. this week let Chamber of Commerce and others file motion to dismiss suit
A federal court judge in New Jersey on Wednesday agreed to allow the U.S. Chamber of Commerce and several other organizations to seek the dismissal of a closely watched data breach lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp.
The groups accused the FTC of holding breached entities like Wyndham to unfair and arbitrary standards and alleged that the FTC is forcing businesses into lengthy data breach settlements and imposing costly fines for violating security standards the agency hasn't even formally promulgated.
In addition to the Chamber of Commerce, others who want the suit dismissed include the TechFreedom, the American Hotel and Lodging Association, National Federation of Independent Businesses and the International Franchise Association.
The amicus briefs, prepared months ago, are related to a data breach lawsuit filed by the FTC against Wyndham and three subsidiaries in June 2012.
The lawsuit alleged that the hotel operator suffered three major data breaches in two years because it had failed to implement reasonable information security measures. The breaches resulted in hundreds of thousands of credit and debit cards being compromised and more than $10.6 million in fraud losses.
The FTC accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was \ adequately protected when, in fact, it was not.
Many see the case as a landmark test of the FTCs authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this Section 5 authority to force numerous settlements, or "consent decrees," from companies that suffered data breaches.
In previous cases, the FTC accused the breached entity of engaging in unfair and deceptive trade practices for promising to protect consumer data in their privacy notices, but then failing to do so. Some of the consent decrees have involved considerable fines, lengthy periods of monitoring and third-party security audits.
In 2006 for example, the FTC imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. over a data breach that compromised over 180,000 credit and debit cards. As part of its agreement, ChoicePoint was also required to submit to comprehensive security audits every two years for the next 20 years.
In 2012, online gaming firmRockYou agreed to pay a $250,000 fine and submit to third-party audits for 20 years as part of an FTC settlement over a data breach.
The Wyndham lawsuit marks the first time the FTC has had to go to a federal court because a breached entity refused to settle.
In their legal briefs, the Chamber of Commerce and the others accused the agency of routinely punishing businesses for failing to have reasonable security standards without ever specifying what exactly it considers as a reasonable standard. They also questioned the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act.
"Nothing in Section 5 suggests that Congress intended to give the FTC the authority to regulate data security" the Chamber of Commerce said in its 25-page motion to dismiss.
That motion noted that the FTC's data security enforcement actions harken back to its overzealous use of the unfair and deceptive practices provisions to pursue other perceived business misdeeds in the past. The agency's past enforcement excesses using Section 5 led to Congress imposing restrictions on its authority in 1994, the Chamber argued.
"Despite these acknowledged statutory constraints, carefully calibrated by Congress in response to years of agency overreaching, the FTC again is attempting to use Section5 inappropriately," the Chamber said.
Berin Szoka, president of TechFreedom, said the case is important because it's the first time since the FTC began its data breach enforcement actions nine years ago that any company had challenged its enforcement authority.
All of the 41 companies hit with FTC lawsuits so far have quietly acquiesced to its settlement terms for fear of attracting more attention and trouble, Szoka said. When confronted with the choice of settling a case or going through a long and potentially costly investigative and discovery process, companies tended to choose the former, he noted.
"The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law," he said. Even so, it has not established any such law through its enforcement actions, he said.
"Here, all you have to go on are these 41 enforcement actions where the FTC has convinced companies to settle out of court with no adjudication. The courts have never signed off and said we think this is the proper interpretation," Szoka said.
As a result, companies have little information to guide them on what exactly constitutes reasonable care, deception and unfair practices in the FTC's eyes, he said.
Chris Hoofnagle, director of information privacy programs at the University of California Berkeley Center for Law & Technology, described the dismissal efforts as a "Hail Mary effort to stop the FTC from enforcing its unfairness power.
"For decades, long before the FTC became involved in privacy, business groups have tried to cabin the FTC so that it can only enforce wrongs that were addressable by the common law," Hoofnagle said in emailed comments to Computerworld.
In an amicus brief supporting the FTC's position, Hoofnagle noted that the agency's enforcement actions have served as the only effective means of holding companies accountable for failing to protect data entrusted to them by consumers.
Although consumers can suffer substantial harm from a data breach, federal courts have been reluctant to recognize private tort action against breached entities. So the FTC enforcement actions have been the primary protection for consumers, he said.
"Congress, in creating the FTC and in empowering it to police unfair and deceptive trade practices, explicitly gave the agency power to determine what is unfair and deceptive." Trying to make the FTC an entity that can only enforce common law defeats the purpose for which it was created, Hoofnagle said. "[It] raises a basic question: Why have the FTC at all?"
FTC officials could not be reached immediately for comment on the case.
This article, Wyndham lawsuit tests FTCs data security enforcement authority, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter @jaivijayan or subscribe to Jaikumar's RSS feed Vijayan RSS. His e-mail address is email@example.com.
See more by Jaikumar Vijayan on Computerworld.com.