Wyndham Secures Interlocutory Appeal Challenging the FTC’s Authority to Regulate Cybersecurity Practices

By Steven Caponi

As part of our ongoing effort to advise clients on significant developments in cybersecurity that are likely to impact their businesses, we have been actively reporting on the case of in FTC v. Wyndham Worldwide Corporation, et al., pending before U.S. District Judge Esther Salas in New Jersey. In April of this year we issued a client alert discussing the much anticipated April 7, 2014, decision by Judge Salas, which rejected a direct challenge to the Federal Trade Commission’s (“FTC”) authority to police corporate cybersecurity practices.

In a surprising development, on June 23, 2014, Judge Salas issued a Memorandum Opinion and Order granting Wyndham’s motion seeking immediate appellate review of the April 7 decision—without holding oral argument. Judge Salas’ reasons for supporting Wyndham’s request to file an appeal are instructive and suggest the FTC’s authority to act as the nation’s chief cybersecurity enforcement agency is far from resolved. Following a careful analysis, the Court acknowledged that if its interpretation the FTC’s authority was incorrect, it would represent reversible error on appeal, requiring a grant of Wyndham’s motion to dismiss. …”

The FTC had sued Wyndham in New Jersey based, in part, on the belief the FTC possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Moving to dismiss the action, Wyndham argued Congress, not the FTC, is the proper body to regulate cybersecurity and the FTC had failed to publish rules or regulations providing companies with fair notice of what protections are expected or acceptable.

In what was seen as a complete victory for the FTC, Judge Salas rejected Wyndham’s narrow interpretation of the FTC’s Section 5 powers. The Court concluded that Congress had vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to issue of fair notice, the Court concluded the FTC was not required to formally publish regulations on cybersecurity before bringing an enforcement action. Judge Salas noted that “courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

To many, what was striking about Judge Salas’ April 7 decision was the manner in which Wyndham’s arguments were quickly dispatched in a straightforward and authoritative fashion. There appeared to be no equivocation or hesitation in the ruling. This led many commentators to suggest the legality of the FTC’s Section 5 powers was no longer seriously in doubt. So it came as a surprise when Judge Salas issued the June 23 Opinion granting the request to seek an interlocutory appeal and acknowledging the prior ruling may not necessarily be correct.

To place the most recent Opinion in context, it is important to note, as did Judge Salas, that “interlocutory certification should be used sparingly and that the District Court should serve as a diligent gatekeeper to prevent premature and piecemeal appeals.” Historically district and appellate courts have routinely relied upon this logic to quickly deny the vast majority of requests for interlocutory appeal. Before a party can seek an interlocutory appeal, it must first demonstrate under 28 U.S.C. § 1292(b): (i) there is a controlling issues of law; (ii) there is substantial ground for difference of opinion; and (iii) an immediate appeal may materially advance the ultimate determination of the litigation. Even if, however, all three criteria under Section 1292(b) are met, Judge Salas noted “the district court may still deny certification, as the decision is entirely within the district court’s discretion.”

In this instance, Judge Salas concluded all three prongs of Section 1292(b) had been satisfied. With regard to the first prong, the Court noted the April 7 decision involved two controlling issues of law: the FTC’s powers under Section 5 to regulate cybersecurity practices and whether the FTC must “formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.” The Court further concluded an immediate appeal may advance the ultimate termination of the litigation because it would potentially reduce the scope of a trial, resolve complex issues before trial, and materially narrow the scope of discovery.

For those who have been “handicapping” the likelihood the FTC’s interpretation of its Section 5 powers will prevail, Judge Salas concluded Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.” Citing Reese v. BP Exploration (Alaska) Inc., 643 F.3d 681, 688 (9th Cir. 2011), the Court held this standard was met because the April 7 decision involved “novel legal issues…on which fair-minded jurists might reach contradictory conclusions.”

Although resolute in her prior ruling, by recognizing other “fair minded jurists” may reach a different conclusion, Judge Salas has sent a clear, cautionary message that the FTC’s authority to regulate cybersecurity practices is not a foregone conclusion. At this juncture, all eyes will be on the Third Circuit Court of Appeals to see if they grant Wyndham’s request for an interlocutory appeal and, if so, how they ultimately rule on the issues identified by Judge Salas. Even after the Third Circuit acts, the scope of the FTC’s authority will not have been definitely decided. For as noted in the June 23 Opinion, “fair minded jurists” sitting in districts outside the Third Circuit and other circuit courts of appeals may reach a different conclusion.

FTC Letter is a Reminder for All M&A Deals

By Jennifer Daniels

On April 10, 2014, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, wrote a letter to both Facebook, Inc. and WhatsApp Inc. warning the companies that the FTC expects both companies to honor the privacy promises made by WhatsApp prior to its acquisition by Facebook.  In late February, Facebook announced that it would acquire the stock of WhatsApp, a company that offers instant messaging services with hundreds of millions of users worldwide.  WhatsApp has built a reputation for its privacy promises.  Conversely, Facebook’s privacy reputation is not a stellar one, as Facebook is the subject of a twenty year Consent Agreement with the FTC arising from a settlement of past allegations of deceptive practices in handling user data.  The April 10 letter from Ms. Rich offers a reminder to companies engaging in acquisitions to plan for the handling of personally identifiable information.

In the April 10 letter, Ms. Rich points out that the privacy promises made by WhatsApp in its privacy statement exceed the protections currently promised to Facebook users.  Ms. Rich explains that, if the acquisition is completed and WhatsApp fails to honor its promises, both companies could be in violation of Section 5 of the FTC Act and, possibly, the FTC order against Facebook.  Ms. Rich highlights other cases that the FTC has brought charging that companies failed to keep their privacy promises, including In re Genelink, Inc., In re Upromise, Inc., and In re Twitter, Inc.  In addition, the FTC made clear in in re Gateway Learning Corp. 

that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time the data were collected.

Accordingly, Facebook and WhatsApp are not permitted to amend the WhatsApp privacy statement going forward and have the amended privacy statement apply to data that were collected by WhatsApp prior to the amendment.  If the companies want a modified privacy statement to apply retroactively to data that had been collected by WhatsApp in the past, they will need to obtain an opt-in consent from the impacted consumers.  Further,  Ms. Rich indicates in her letter that, because Facebook and WhatsApp are now making promises that the companies will not modify WhatsApp’s privacy practices following the acquisition, if the companies do decide to change WhatsApp’s privacy practices following the transaction, the FTC recommends that the companies offer existing users the ability to opt out of the future collection of their information, or at least make it clear to consumers that they have the ability to stop using the WhatsApp service.

The letter from Ms. Rich is an important reminder to companies that process personally identifiable consumer data that the handling of those data is an important consideration in any M&A transaction. When looking at structuring an acquisition, the parties must consider whether the privacy statements or consents under which personal data were collected allow disclosures of that data to a third party acquirer.  If they do not, then an asset acquisition may not be possible without violating those privacy statements and consents, because an asset acquisition necessarily involves a change in the legal entity that owns the data.  Companies must also anticipate this issue when preparing privacy statements and consents, and must include language that allows personal information to be disclosed to the purchaser of the business.  Further, even in a stock purchase where the target legal entity collecting and holding the data does not change (so there is arguably no disclosure of the data to a third party acquirer), the buyer should conduct diligence on the privacy promises of the seller to ensure that the buyer can live with the promises made regarding the data, understanding that any material change in the uses and disclosures of the data following the acquisition may require opt-in consent from the impacted consumers, which in many instances is nearly impossible to obtain.

FTC Prevails in Fight to Regulate Cybersecurity Practices

By Steven Caponi

On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s (FTC) authority to police corporate cybersecurity practices.  Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corporation, which was supported by many prominent business groups, had argued the commission didn’t have the power to regulate corporate data-security practices.  While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.

The FTC has argued that it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” The FTC further believes that Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy including cybersecurity. Exercising this authority, in FTC v. Wyndham Worldwide Corporation, et al., the FTC initiated an action against Wyndham following a series of cyber breaches at several Wyndham-branded hotels where customer credit card information was exposed. The gravamen of the FTC’s action is the belief that Wyndham did not maintain “reasonable and appropriate” data security protections, and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive. 

Filing a motion to dismiss the action, Wyndham argued that Congress, not the FTC, is the proper body to regulate cybersecurity, and that it alone has authority over data security standards. Wyndham also argued that Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Additionally, Wyndham noted that the FTC failed to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations. Wyndham argued that businesses cannot ensure compliance with the unpublished requirements.

In return, Judge Salas stated: “Wyndham’s motion to dismiss demands that this Court carve out a data security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.

On whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas held that permitting the FTC to exercises authority over data security would not lead to a result “that is incompatible with more recent legislation” and thus would “plainly contradict congressional policy.”  Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to the challenge to the lack of FTC notice, after analyzing the state of the law, the court concluded that the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that “[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

In light of this decision, companies seeking to avoid a run-in with the FTC would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms, and evaluate cyber protocols in light of all relevant FTC rulings and statements.

Accretive Health Settles FTC Charges that it Failed to Adequately Protect Consumers’ Personal Information

By Jennifer Daniels

Accretive Health, Inc. (“Accretive”) is a service provider for hospital systems nationwide, providing services related to the hospital systems’ revenue cycle operations.  In providing these services, Accretive obtains sensitive health information about its customers’ patients.  Accretive suffered a security breach that resulted in the exposure of sensitive, personally identifiable information for about 23,000 individuals.  As is often the case, that breach resulted in a complaint from the government.

Of course, Accretive’s clients are Health Insurance Portability and Accountability Act (“HIPAA”)-covered entities and Accretive is a business associate under HIPAA.  But this investigation was not a HIPAA investigation, but rather the claims made by the Federal Trade Commission (“FTC”) were under the FTC Act.  HIPAA-covered entities and their business associates should keep in mind that HIPAA compliance is not their only regulatory obligation to maintain the security of personal information.

The FTC argued that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, which Accretive collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access.  The FTC claimed that, among other things, Accretive:

  • transported laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
  • failed to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
  • failed to ensure that employees removed information from their computers for which they no longer had a business need; and
  • used consumers’ personal information in training sessions with employees and failed to ensure that the information was removed from employee computers after the training.

Accretive’s failures resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive laptop containing 600 files related to 23,000 patients was left in the locked passenger compartment of an employee’s car and was stolen.  The laptop included sensitive personal and health information, including names, dates of birth, billing information, diagnostic information, and social security numbers.  The user of the laptop had data that was not necessary to perform his job.

The FTC argued that the failure by Accretive to employ reasonable and appropriate measures to protect personal information from unauthorized access was an unfair act or practice in violation of Section 5(a) of the FTC Act.

On January 13, the FTC published a notice in the Federal Register that the FTC had accepted, subject to final approval, a consent order applicable to Accretive.  The Proposed Order requires Accretive to establish and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information.  The program must contain administrative, technical and physical safeguards appropriate to Accretive’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects about consumers.  Specifically, the Proposed Order requires Accretive to:

  • designate an employee or employees to coordinate and be accountable for the information security program;
  • identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of information, and assess the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable safeguards to control the risks identified through risks assessment, and regularly test or monitor the effectiveness of the safeguards key controls, systems, and procedures;
  • develop and use reasonable steps to select and retains service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers by contract to implement and maintain appropriate safeguards; and
  • evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Companies handling sensitive personal information are advised to review the types of security measures that the FTC includes in these types of consents because they give companies a checklist of the measures that the FTC will expect to be in place at companies handling similar types of data.

In Accretive’s case, the Proposed Order will be in place for 20 years, and the order requires Accretive to obtain an assessment and report every other year for 20 years from a qualified, objective, and independent third party professional certifying that its security program meets the requirements of the order.

The FTC published a description of the consent, which is subject to public comment for thirty days, after which the FTC will decide whether to make the proposed order final.

Genelink, Inc. Must Improve Safeguards of Consumers’ Sensitive Information

By Jennifer Daniels

Two marketers of genetically customized nutritional supplements have agreed to settle Federal Trade Commission (“FTC”) charges of deceptive advertising claims and lax information security practices.  Apparently, the main purpose of the FTC’s investigation had to do with unsubstantiated advertising claims about Genelink’s products, but the FTC took the opportunity to also question the security processes employed by Genelink.  The FTC’s complaint charges that Genelink deceptively and unfairly claimed that it had taken reasonable and appropriate security measures to safeguard and maintain personal information from nearly 30,000 consumers.  Genelink collected genetic information, social security numbers, bank account information, and credit card numbers.  The complaint alleges that Genelink did not require service providers to have appropriate safeguards for personal information, and failed to use readily available security measures to limit wireless access to its network.  The proposed order requires Genelink to establish and maintain a comprehensive information security program and to submit to security audits by an independent auditor every other year for 20 years.  As I have said before, sometimes the ongoing compliance obligations are much more burdensome and costly than any fines or penalties imposed by regulators.