Data Security and Your Next Hotel Stay: How the FTC Encourages Strong Security Practices
Written by G.S. Hans
Summer’s just around the corner, so imagine you’re setting off on vacation. When you give your name and credit card to a hotel front desk clerk, you probably expect them to keep that sensitive information about you under lock and key. You probably don’t imagine that this personal information would be easily available to malicious hackers.
But unfortunately for customers of the Wyndham Hotel chain and its affiliates, that hasn’t always been the case. Between 2008 and 2010, the risk of data breaches was unacceptably high. On three separate occasions, third parties attackers circumvented Wyndham’s security systems and accessed credit card information. The FTC filed a complaint against Wyndham in 2012 alleging that the company’s security practices — including failing to encrypt payment data and the use of default logins and passwords — constituted unfair and deceptive practices under the FTC Act.
While most defendants enter into consent decrees with the FTC after a complaint was filed, Wyndham took the somewhat unusual step of challenging the FTC’s case. Earlier this month, Wyndham filed a motion to dismiss in district court in New Jersey. Wyndham argues that the FTC lacks the authority to regulate security practices as an unfair practice under the FTC Act. The thrust of Wyndham’s argument is that the language of the FTC Act does not cover data security practices, and that the many subsequent bills introduced in Congress that would grant the FTC explicit, specific authority to regulate data security practices implicitly indicates that Congress did not intend to grant such authority under the FTC Act.
We think that Wyndham’s arguments lack credibility. First, there is a very obvious reason that the FTC Act didn’t explicitly grant authority to the FTC to regulate data security: the act was written a century ago, when the phrase “data security” would have made as much sense as “Internet policy.” No legislator could have conceived of regulating data security in 1913. It is precisely for this reason that we have consistently argued for a flexible approach in understanding the unfairness and deceptive regulation prongs of the FTC Act; a cramped interpretation of the authorizing statute would preclude the agency from protecting consumers in our current era of computerized and network technologies absent further Congressional grants of authority, which could take years. Section 5 of the FTC Act was intended to apply to a broad range of consumer wrongs, and we need not pass a new law to address every business model that emerges.
Their second argument — that the existence of subsequent bills granting the FTC authority to regulate data security precludes such regulation under the FTC Act — also holds little weight. Such bills would grant the FTC authority to promulgate specific guidelines, but that doesn’t prohibit the agency from pursuing claims for general poor data security practices. Moreover, the clear language of the statute negates the argument that the FTC’s enforcement actions do not use clear standards. The FTC Act currently sets out a balancing test for unfairness cases: under Section 5 of the FTC Act, the FTC has no authority to declare a practice unfair, unless the act causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In the Wyndham case – as in most data security cases – there’s no consumer benefit to sloppy security practices, and no way to avoid them. Thus data security enforcement cases are squarely within the unfairness power, and far from controversial.
Because the FTC’s other main source of enforcement authority, the deception prong, often relies upon affirmative misstatements of fact, the unfairness prong remains the most effective method for the Commission to regulate insecure data practices. Indeed, we have long argued that the FTC should interpret its authority under the unfairness prong broadly in order to effectively protect consumers. The Wyndham case is therefore important not merely to protect future customers of the hotel chain, but also to ensure the ability of the FTC to regulate unfair practices with flexibility. We remain confident that the FTC will prevail in this case (the agency’s reply briefs are due at the end of May), and supportive of the Commission’s efforts to ensure that companies employ strong security measures to protect consumer data.