Making Sense of the FTC’s Data Security Standards and its Wyndham Win | Practical Law

Making Sense of the FTC’s Data Security Standards and its Wyndham Win | Practical Law

A Legal Update discussing the Federal Trade Commission's (FTC) data security enforcement. It includes a discussion of the US Court of Appeals for the Third Circuit's decision in FTC v. Wyndham Worldwide Corp. holding that the FTC has data security enforcement authority under the unfairness prong of Section 5 of the FTC Act, the FTC's key data security principles and actions that have triggered FTC enforcement.

Making Sense of the FTC’s Data Security Standards and its Wyndham Win

Practical Law Legal Update 8-618-1868 (Approx. 5 pages)

Making Sense of the FTC’s Data Security Standards and its Wyndham Win

by Practical Law Intellectual Property & Technology
Published on 25 Aug 2015USA (National/Federal)
A Legal Update discussing the Federal Trade Commission's (FTC) data security enforcement. It includes a discussion of the US Court of Appeals for the Third Circuit's decision in FTC v. Wyndham Worldwide Corp. holding that the FTC has data security enforcement authority under the unfairness prong of Section 5 of the FTC Act, the FTC's key data security principles and actions that have triggered FTC enforcement.
Since 2000, the Federal Trade Commission (FTC) has brought more than 50 enforcement actions against businesses over their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), though it has not enacted rules or regulations that address data security under Section 5. On August 24, 2015, in FTC v. Wyndham Worldwide Corp., the US Court of Appeals for the Third Circuit affirmed the US District Court for the District of New Jersey's holding that:
  • The FTC has authority to regulate cybersecurity under the unfairness prong of Section 5.
  • Wyndham Worldwide Corp. and its affiliates had fair notice that their cybersecurity practices fell short of FTC standards despite that the FTC has not enacted data security rules or regulations.
(No 14-3514, (3d Cir. Aug. 24, 2015).)

FTC v. Wyndham Worldwide

The FTC brought this case against Wyndham after three data breach incidents in 2008 and 2009 in which hackers obtained payment card information from a total of 619,000 consumers, resulting in at least $10.6 million in fraud losses. Wyndham, a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries, also licenses its brand name to about 90 independently owned hotels. According to the FTC's complaint, each hotel had a property management system that processed consumer information, and Wyndham operated a computer network in Phoenix, Arizona that connected its data center with the property management systems of each hotel.
The FTC alleged that Wyndham had engaged in cybersecurity practices that, taken together, were unfair and unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft. The FTC pointed to the following practices:
  • Allowing hotels to store payment card information in clear, readable text.
  • Allowing use of easily guessed passwords to access property management systems.
  • Failing to use readily available security measures, such as firewalls, to limit access between hotels' property management systems, the corporate network and the internet.
  • Allowing the individual property management systems to connect to Wyndham's network without taking appropriate cybersecurity precautions.
  • Failing to adequately restrict third-party vendor access to its network and hotel servers.
  • Failing to employ reasonable measures to detect and prevent unauthorized access.
  • Failing to follow proper incident response procedures.
The FTC also alleged a deception claim premised on Wyndham's privacy policy, which the FTC claimed overstated the company's cybersecurity.
Wyndham filed an FRCP 12(b)(6) motion to dismiss. The district court denied the motion and certified the decision for interlocutory appeal. Wyndham appealed the unfair practices claim but not the deceptive practices claim.
On appeal, the Third Circuit affirmed the district court's decision on the FTC's authority to regulate cybersecurity. Under Section 5, an act or practice is unfair only if it satisfies all the following criteria:
  • It causes or is likely to cause substantial injury to consumers.
  • Consumers are not reasonably able to avoid the injury.
  • The injury is not outweighed by countervailing benefits to the consumers or to competition.
Wyndham argued that these factors were necessary but without more, insufficient to establish an unfairness claim. The court rejected this argument, however, noting that Wyndham's proposed additional requirements were either unpersuasive or were satisfied on the face of the complaint. The court rejected Wyndham's arguments that:
  • The FTC's asserted authority to assert an unfairness claim under the circumstances was contrary to:
    • its own statements to Congress about its authority; and
    • subsequent legislation, including the Gramm-Leach-Bliley Act (GLBA) and the Children's Online Privacy and Protection Act (COPPA), which specifically directed the FTC to enact data security rules.
  • A crime victim could not be held accountable under the unfairness standard for the results of the criminal conduct.
The Third Circuit also affirmed the district court's holding that the FTC had provided fair notice to Wyndham of its cybersecurity obligations including because, applying the relevant legal standard, Wyndham only need be on notice that its conduct could fall within the meaning of the statute, rather than know with certainty the FTC's interpretation of what cybersecurity practices are required by Section 5. The court interpreted Wyndham's challenge as an as-applied challenge to the statute itself and found that it fell short, particularly based on:
  • The FTC's published data security guidance at the time of the breaches.
  • The FTC's published data security complaints, many of which included allegations similar to those alleged against Wyndham, and consent decrees.
  • Wyndham suffering three separate attacks.

Understanding the FTC's Data Security Standards

The Wyndham court's holding cements the FTC's authority over data security enforcement and, at least tacitly, endorses the FTC's lack of official rule-making. In the absence of rules or regulations, when advising clients on developing data security programs and practices that will comply with the FTC's standards, counsel must distill the appropriate standards from the FTC's publications and data security enforcement actions.

The Reasonableness Standard

Overall, the FTC's approach to enforcement examines whether any given data security program or practice is reasonable measured in light of the:
  • Sensitivity and volume of consumer information the business holds.
  • Size and complexity of the business's data operations.
  • Cost of available tools to improve security and reduce vulnerabilities.
The FTC commonly brings enforcement actions premised on the failure to implement reasonable policies and practices to protect the security of consumers' personal information. The FTC also often alleges deceptive trade practices claims premised on the alleged failure to follow promises contained in a privacy policy, website, marketing information or any other communication with consumers.
Almost any security practice at odds with representations in a company's privacy policy, or other written statements or implicit promises to customers, can serve as the basis for a deceptive trade practices claim, including a general statement that the company implements "reasonable" data security standards if the FTC determines that the company's standards were not reasonable. For example, the FTC has commonly brought enforcement actions based on the alleged failure to:
  • Use reasonable measures to assess or ensure employee compliance with data security policies and procedures.
  • Maintain adequate password security.
  • Require service providers to employ appropriate safeguards or reasonably oversee security providers.

FTC Security Principles

FTC guidance provides valuable insight into what the FTC may considerable reasonable when pursuing enforcement, though it does not carry the rule of law. In its 2011 publication, Protecting Personal Information: A Guide for Business, an early version of which the Wyndham court specifically referenced in its opinion, the FTC set out five principles that companies should follow to protect personal information:
  • Be aware of all the personal information collected, retained and shared.
  • Keep only personal information required for legitimate business operations.
  • Use physical and electronic security to protect the information an organization retains.
  • Properly dispose of personal information as soon as it is no longer necessary for business operations.
  • Have a plan to respond to security incidents.
Building on these principles, the FTC announced its new "Start with Security" initiative in 2015 to help businesses protect consumers' personal information (see Legal Update, FTC Launches Security Education Initiative). As part of the initiative, the FTC introduced a new website consolidating its data security guidance. It also published a guide that reviews ten practical data security lessons from the FTC's enforcement actions and builds on the FTC's five stated principles.
For more information on the FTC's data security standards, including further FTC guidance and specific security practices that may trigger an enforcement action, see Practice Note, FTC Data Security Standards and Enforcement.