Should the FTC be able to regulate companies that don’t pick up “banana peels” in the security space? In yesterday’s ruling in long-running FTC v. Wyndham litigation, the Third Circuit Court of Appeals said yes, ruling that the FTC has the authority to regulate data security under Section 5 of the FTC Act.
Wyndham, a hotel chain, had suffered three data breaches over a two year period, which affected approximately 619,000 accounts and resulted in about $10.6 million in fraud loss. Last year, CDT argued in an amicus brief, alongside EFF and the Samuelson Clinic at Berkeley Law, that the FTC should be able to protect consumers by regulating companies with inadequate security practices, given the prevalence of corporate databases containing sensitive personal information and the need for strong data security in a digital economy. We’re glad that the appellate court agreed that the FTC has such authority, sending a clear signal to companies that robust security is a necessity when doing business.
The Third Circuit’s ruling establishes that the FTC has a legally appropriate role to play here, and we hope that the agency continues to build on its strong enforcement record in the future.
Wyndham’s challenges to the FTC’s case rested on three main points, none of which the court found persuasive. First, Wyndham claimed that the plain language of the FTC Act — the statute under which the agency does much of its regulation — didn’t allow for the agency to regulate data security. Wyndham argued that the FTC Act’s prohibition on unfair practices was too vague and broad here. However, because the FTC Act contains a balancing test for unfairness claims, it’s not surprising that the court didn’t buy this argument. Indeed, in response to Wyndham’s claims that broad unfairness enforcement would lead to regulation of even the most minor of business practices, potentially threatening businesses that are “sloppy about sweeping up banana peels,” the court wryly observed that any business that allowed 619,000 customers to slip on banana peels should hardly be immune from liability.
It is precisely because of the flexibility of statutory language that the FTC has been able to protect consumers in an era of rapidly changing technology.
Wyndham also argued that the language of the FTC Act didn’t allow the agency to bring suits on the basis of data security, because the statute doesn’t explicitly provide for such regulation. This argument conveniently ignores that there is a very good reason that the FTC Act doesn’t call out data security as a regulated area. The FTC Act was written in 1913, long before the concept of data security even existed, and the FTC has never claimed that it lacks such regulatory authority. It is precisely because of the flexibility of statutory language that the FTC has been able to protect consumers in an era of rapidly changing technology. Any statute that called out specific industries or practices would quickly become outdated.
Wyndham’s final claim — that the FTC failed to provide adequate notice under due process principles — was perhaps more persuasive compared to the weak administrative law claims, but still lacked an understanding of how modern regulation operates. Rapid changes in best practices for protecting consumer data would quickly outpace any government rulemaking process. The FTC has therefore relied upon its enforcement actions, publicly available resources, industry developed best practices, and common sense as a basis for filing complaints against companies with poor practices. With more than fifty data security cases on the books, the agency has created a robust record detailing what practices won’t pass muster.
Wyndham, which suffered multiple avoidable breaches, and in some cases never even changed passwords from the default factory setting, was far from an innocent, naïve actor. The court observed that it had plenty of notice from the FTC on what appropriate data practices looked like, such that the company could reasonably expect the agency to take action. In today’s world, all companies need to have robust security programs — including encryption for data storage and transmission, secure passwords and limited access to systems, and regular auditing and oversight.
Despite Wyndham’s cavalier use of banana peels as an analogy for sloppy data security practices, it is in some ways prescient. In recent years, data breaches have become a ubiquitous threat — every month brings news of yet another company that’s suffered a high profile breach. In some of these cases, companies just didn’t have adequate, meaningful security programs, making errors similar to Wyndham’s mistakes. When companies have more data than ever before on what individuals are buying, where they live, and what they do on a daily basis, it’s more important than ever that the FTC be able to protect consumers by promoting responsible data security practices by the companies that we entrust with our data. The Third Circuit’s ruling establishes that the FTC has a legally appropriate role to play here, and we hope that the agency continues to build on its strong enforcement record in the future.