Wyndham Ruling Seen Having Minimal Effect on FTC Actions, Data Breach Legislation

Don’t expect the decision to significantly affect the FTC’s data security work or recently introduced data breach bills on the Hill, observers told us in interviews Tuesday. “While closely watched, the impact of a decision at the motion to dismiss stage is limited,” said Fletcher Heald communications lawyer Paul Feldman. “This is a war of miles,” said Wilson Sonsini data security attorney Gerry Stegmaier. “We've only moved the first few inches of the battlefield.” The case has been seen as a “referendum” on the FTC’s data security jurisdiction (WID Feb 25 p1). Although Monday’s decision reaffirms the FTC’s authority in this area, the ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” said Judge Esther Salas in the ruling.

Wyndham’s motion to dismiss was based on three claims, according to court documents: The FTC doesn’t have authority to assert an unfairness claim in the data security context; the FTC has not given fair notice of its data security expectations; and the FTC did not meet a high enough pleading standard to support an unfairness or deception claim. On all three counts, Salas sided with the FTC.

While some lamented and others cheered Monday’s ruling, all agreed it wasn’t surprising. Former FTC Commissioner Thomas Rosch, a Republican, served from 2006-2013 and dissented to the “unfairness” portion of the original 2012 complaint against Wyndham (http://1.usa.gov/1fCSeH1). “I dissented because I thought there was a fair ground for litigation of the issue of fairness, not because I expected it to be resolved at the threshold,” he told us by email.

Wyndham said it will not quit: “We intend to defend our position vigorously,” said a spokesman, noting the court “made no decision on liability.” If the case moves to an appeal or trial instead of a settlement, the arguments are likely to focus on the FTC’s specific claims about Wyndham’s data security practices and whether Wyndham had “fair notice” of what data security practices the FTC expected -- not the FTC’s authority to regulate data security practices, several lawyers told us. Center for Democracy and Technology (CDT) attorney Gautam Hans told us Salas’s Monday ruling showed she was inclined to ultimately side with the FTC on the issues of fair notice and the unfairness and deceptiveness of Wyndham’s data security practices. “I think it’s pretty clear if this case goes to trial ... the FTC will win,” he said. TechFreedom President Berin Szoka, a former practicing Internet and communications lawyer, disagreed. Salas “dodged the hard question,” of whether the FTC had provided fair notice. “We hope Wyndham will focus on these questions in its appeal and at the motion for summary judgment.” TechFreedom, a libertarian-leaning Internet advocate, filed an amicus brief on Wyndham’s behalf during the proceedings (http://bit.ly/1itiUb7).

During oral argument, Wyndham leaned heavily on the notion Congress had not given the FTC authority over data security, nor had it ever expressed intent to do so. Wyndham’s argument “fails to explain how the FTC’s unfairness authority over data security would lead to a result that is incompatible with more recent legislation,” Salas said. Wyndham argued legislation like the Fair Credit Reporting Act (FCRA), Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act (GLBA) showed Congress meant to give the FTC data security power in limited niches. A 2000 Supreme Court decision -- Food and Drug Administration v. Brown & Williamson Tobacco Corp. -- established the precedent that federal agencies should not have regulatory power in an area if Congress didn’t grant that power, nor express an intent to do so, Wyndham said during oral argument. The court in Brown & Williamson ruled the FDA could not regulate tobacco and cigarettes for those reasons (http://bit.ly/1mwwjnO).

Wyndham’s stance misses the point, Salas said in the ruling. Wyndham’s reading of Brown & Williamson “ignores the critical premise” of the decision, she said, quoting the line: “[W]e find that Congress has directly spoken to the issue here and precluded the FDA’s jurisdiction to regulate tobacco products.” In the case of data security, the set of bills “seems to complement -- not preclude -- the FTC’s authority,” Salas said. FCRA, COPPA and GLBA “each set forth different standards for injury in certain delineated circumstances, granting the FTC additional enforcement tools,” she added.

"Jurisdiction is tough to win on,” said lawyer Michelle Cohen, a data security specialist at the Ifrah law firm. The FTC Act’s Section 5 regarding unfair and deceptive practices “has been interpreted so broadly,” she said. All lawyers we talked to agreed Salas was unlikely to change course on the issue of jurisdiction if the case moves to a trial. “The FTC has staunchly maintained its authority in this area for quite some time,” said Wilson Sonsini’s Stegmaier. “And so whether it won or lost, this particular decision is unlikely to affect the agency’s enforcement posture.” But the ruling left fair notice and pleading requirements open to continued interpretation moving forward, Stegmaier and Cohen said. “While the court did address those, I have a feeling there’s more to be fleshed out as we go along,” Cohen said.

Salas did address both fair notice and pleading standards. “Wyndham seems to improperly characterizes [sic] the issue as being whether the FTC must provide any fair notice at all,” Salas said. “But this is not the issue. Instead, the issue is whether fair notice requires the FTC to formally issue rules and regulations before it can file an unfairness claim in federal district court. And, to that extent, the Court is not so persuaded.” Jules Polonetsky, executive director of the industry-backed Future of Privacy Forum, told us “the most telling note may be the court’s affirmation” that the FTC’s settlements do establish informed judgment that courts and industry can use for guidance.

But the court didn’t fully answer the question of whether Wyndham had fair notice, several lawyers agreed. It left unanswered several questions, Szoka said: “Does the FTC’s body of roughly fifty unadjudicated settlements and a skimpy ‘guidance brochure’ provide adequate notice? Given that so few companies will challenge the FTC in court, does the FTC have too much discretion?” Fair notice could give Wyndham its best chance moving forward, Cohen said. “If I were a betting person, I would say probably the fair notice would be a stronger argument than the pleading requirements,” she said. There isn’t much legal precedent for agency guidelines being considered “the be-all-and-end-all of fair notice,” she said.

CDT’s Hans thought the ruling’s discussion of fair notice and pleading standards “is sufficiently rigorous,” to show the judge will likely side with the FTC on those issues. Hans also cautioned the evidence against Wyndham is “pretty bad.” The organization failed to conduct basic security measures such as encrypting payment data and regularly change system passwords, he said. “This is pretty unfair under the standard the FTC applies,” he said, making it hard for Wyndham to make a fair notice argument. “The FTC has a sufficiently developed history of enforcing data security cases that provide pretty clear guidelines,” he said.

Lawmakers have offered legislation to clarify the FTC’s data security role, particularly in the wake of a slew of data breaches at large retailers like Target and Neiman Marcus (WID Jan 14 p8, Jan 6 p1, Dec 20 p1). There have been numerous hearings on the issue (WID March 27 p3, Feb 4 p6, Feb 5 p1, Feb 5 p5), as well as several data breach and notification bills that would further empower the FTC in its data security role (WID Feb 6 p5).

Monday’s ruling was mostly seen as having little effect on the chances for these bills. “It still seems unlikely that anything substantive can get through Congress,” said Fletcher Heald’s Feldman. “On the other hand, there may be growing support in the business community for legislation that would give greater certainty to their data security obligations and liability, and this sort of decision could increase that support, and generate more momentum for legislation,” he said. Software and Information Industry Association Senior Director-Public Policy David LeDuc differed, telling us the ruling “confirms that the commission has significant authority under Section 5 and it raises a significant question about the need to expand the commission’s regulatory authority in order to ensure adequate data security and privacy.”