On Wednesday, November 12th CDT, along with the Electronic Frontier Foundation, filed an amicus brief in the long-running FTC v. Wyndham litigation. Those who have followed the case and our coverage of it may remember that in April 2014, Judge Esther Salas of the Federal District Court of New Jersey ruled in favor of the FTC regarding its ability to regulate data security under the unfairness prong of the FTC Act. However, observing that this ruling involved a novel question of law, Judge Salas allowed Wyndham to appeal her ruling to the Third Circuit. It is in this appeal that we’ve filed our amicus supporting the FTC.
First, a brief overview: Wyndham, a hotel chain, suffered multiple avoidable breaches of its systems between 2008 and 2010, exposing vast amounts of sensitive consumer financial data (including credit card numbers) to malicious hackers. The FTC filed a complaint against Wyndham for its lax security measures, asserting that they violated the FTC Act’s ban on deceptive and unfair commercial practices. Those measures included failing to erect firewalls, using weak passwords (including passwords that were identical to usernames), failing to encrypt credit card information, and using outdated software that could not be updated. The FTC has filed multiple actions against companies with poor data security practices — fifty as of this year — and nearly all of them have settled, with most companies entering into consent decrees allowing for FTC oversight of their security programs and independent auditing.
Wyndham has chosen to litigate this case, arguing that the FTC has overreached its bounds. Wyndham’s main claim is that the FTC cannot regulate for data security under the provisions of the FTC Act, and that it did not provide proper notice under due process to companies regarding what appropriate security standards were. For reasons that the FTC has delineated in its appellate reply brief, those claims are pretty weak. For those readers who (like myself) are administrative law devotees, I encourage you to read the FTC’s brief for more detail – the FTC thoroughly explains why, under constitutional law and settled doctrine, it can regulate data security and pursue this case against Wyndham.
Our amicus highlights a few additional points that we think demonstrate why it’s vital that the FTC regulate data security. First, Wyndham has made the argument that it is the victim in this context — but that doesn’t mean any responsibility to third parties (including its customers) disappears as a result. Courts have historically agreed that a company can still be subject to liability under the FTC Act, even if they have suffered their own harms; this case is no different.
Second, Wyndham’s argument that the FTC’s proceedings violate due process would undermine a host of other state and federal statutes, as well as the entire concept of “reasonableness” — an underpinning of tort law in our legal system. Under settled tenets of administrative law, the FTC had provided sufficient notice to Wyndham and other companies of what constituted appropriate security measures, including through agency guidance and prior FTC decisions and consent decrees.
Finally, despite Wyndham’s claims, the FTC’s method of enforcing data security, through guidance and consent decrees, is an appropriate and flexible way to protect consumer data. Administrative agencies often regulate industries through notice-and-comment rulemaking, as well as through enforcement actions. However, given the regularly slow pace of rulemaking, and the constantly evolving standards for data security, rulemaking would be an ineffective way to protect privacy — especially as FTC rules are often only revised every ten years, an eternity in the technology space. Moreover, relying upon companies to self-regulate in order to protect consumer data is unlikely to result in robust protections, as the recent spate of data breaches demonstrates. It’s for these reasons that we need the FTC to be a “cop on the beat” and seek enforcement actions against companies like Wyndham that don’t adequately protect their consumers.
Our amicus brief was primarily drafted by law students enrolled at the Samuelson Law, Technology, and Policy Clinic at the University of California – Berkeley School of Law. We thank those students – Jonathan Francis, Madeline Barker Mai, and Kelly Vargas – and their supervising attorneys, Catherine Crump and Chris Hoofnagle, for their invaluable help and excellent work on this project. We hope and expect the appellate court to uphold Judge Salas’ ruling and find in favor of the FTC; a decision is expected next year.