On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s (FTC) authority to police corporate cybersecurity practices. Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corporation, which was supported by many prominent business groups, had argued the commission didn’t have the power to regulate corporate data-security practices. While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.
The FTC has argued that it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” The FTC further believes that Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy including cybersecurity. Exercising this authority, in FTC v. Wyndham Worldwide Corporation, et al., the FTC initiated an action against Wyndham following a series of cyber breaches at several Wyndham-branded hotels where customer credit card information was exposed. The gravamen of the FTC’s action is the belief that Wyndham did not maintain “reasonable and appropriate” data security protections, and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive.
Filing a motion to dismiss the action, Wyndham argued that Congress, not the FTC, is the proper body to regulate cybersecurity, and that it alone has authority over data security standards. Wyndham also argued that Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Additionally, Wyndham noted that the FTC failed to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations. Wyndham argued that businesses cannot ensure compliance with the unpublished requirements.
In return, Judge Salas stated: “Wyndham’s motion to dismiss demands that this Court carve out a data security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.
On whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas held that permitting the FTC to exercises authority over data security would not lead to a result “that is incompatible with more recent legislation” and thus would “plainly contradict congressional policy.” Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to the challenge to the lack of FTC notice, after analyzing the state of the law, the court concluded that the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that “[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”
In light of this decision, companies seeking to avoid a run-in with the FTC would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms, and evaluate cyber protocols in light of all relevant FTC rulings and statements.