by Daniel J. Solove
The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and yesterday, it finally arrived.
The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).
Some Quick Background
For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.
For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.
Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.
The Court’s Opinion and Some Thoughts
1. The FTC’s Unfairness Authority
Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”
This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.
2. Fair Notice
Wyndham argued that the FTC failed to provide fair notice about what security practices the FTC deemed unfair under the FTC Act. But the court held that the FTC’s interpretations of the FTC Act “while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” (quoting Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141-42 (1976)).
My article with Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), addresses this point. We argue that FTC complaints and consent decrees have many features that are akin to common law, and they are treated quite akin to common law by privacy lawyers. Over time, when interpreting a broad law, the collected cases will start to resemble a more specific set of rules.
Hartzog and I reviewed all of the FTC’s cases on data security and compiled a list of the specific data security practices that the FTC found fault with. This list is on pp. 651-655 of our article. Thus, we believe that sufficient guidance can be found in the FTC cases.
3. Consumer Harm
Wyndham also contended that the FTC failed to plead sufficient consumer harm. The court, however, concluded that the FTC’s allegations were that “data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.”
Harm has long been a contentious and challenging issue in privacy and data security cases, but unlike other areas of law, the FTC can use a rather broad theory of harm.
This case has very important implications for data security as well as for privacy. The FTC has been developing case-by-case a substantial body of jurisprudence around data security and privacy, filling a critical void in U.S. privacy law.
Where do things go from here? The FTC can continue on its current trajectory. Perhaps it will be emboldened by this victory. More litigation in this case likely remains, so this decision will likely not be the final word. But for now, the FTC has won a big battle and has done so with a decisive victory.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter