By David Katz and Daniel Lumm FTC Secures an Early Victory ...

By David Katz and Daniel Lumm

FTC Secures an Early Victory in Its Battle for Data Privacy Authority

In a ruling delivered Monday, April 7 in the matter of the Federal Trade Commission vs. Wyndham Worldwide Corporation, et al., a federal judge handed the FTC a resounding victory in the first round of the ongoing court battle regarding the FTC's authority as the primary regulator of issues related to consumer data security and privacy in the United States. The court ruled on a motion to dismiss the FTC's complaint on various grounds which challenged the FTC's authority to bring enforcement actions related to data security issues, and denied the motion on all grounds. While it is important to note that this case is far from over, for now this ruling effectively provides judicial validation of the FTC's authority to pursue breaches or potential breaches of consumer privacy as deceptive and unfair trade practices subject to the jurisdiction of the Commission under its federal mandate, Section 5 of the Federal Trade Commission Act. The ruling also provides guidance in the area of best practices in privacy policy and franchise agreement drafting to companies which operate in franchise business models similar to the Wyndham model, where the franchisees are required by the franchise agreement to implement software which connects to the franchisor's network and computer systems.

Background

Unlike many other developed nations, the United States has not enacted a comprehensive, uniform body of legislation related to the security and privacy of consumer data in all contexts. The privacy and security of consumer information in certain industryspecific contexts, such as healthcare or financial services, are regulated by specific statutes, as is the privacy and security of information related to children. Additionally, certain states have enacted their own laws related to the protection of information pertaining to the residents of these states. Outside of these contexts, however there has been a void with respect to federal legislation dealing with the manner in which companies handle and secure consumer information, and the issue has generally been handled in a self-regulatory "notice and consent" manner in which companies provide written policies and terms to their customers identifying their information collection and handling practices and secure either implied or express consent from the customers to these practices. Under this self-regulatory approach, the Commission has acted as the primary enforcer, bringing actions against companies for "unfair" or "deceptive" practices when it believes that these companies have engaged in conduct which fails to protect consumer data or which uses consumer data in a way that harms the consumer.

Prior to the Wyndham case, companies which faced enforcement actions from the Commission have chosen to accept the authority of the Commission and enter into settlements. In the Wyndham case, however, Wyndham chose to challenge the FTC's complaint with a three-pronged motion to dismiss, first challenging the authority of the Commission to assert unfairness claims in the data-security context, second asserting that the Commission cannot bring unfairness claims without formally issuing regulations, and third arguing that the

allegations of the claims set forth by the Commission were not sufficient to meet the required elements for a claim of unfairness or a claim of deception.

Highlights of the Ruling

The Commission's authority to regulate data privacy under its "unfairness" mandate

Although far from over, this case provides important insight into the future of enforcement and litigation of data privacy under the FTC's jurisdiction. Of primary interest is the court's refusal to accept Wyndham's position that the FTC lacks the authority to regulate in the area of data security under the mandate of the FTC Act. Wyndham asserted that if Congress intended for a broad grant of authority in the area of data security, it would not have authorized other specific statutes like the Fair Credit Reporting Act ("FCRA"), the GrammLeach-Bliley Act ("GLBA"), the Children's Online Privacy Protection Act ("COPPA"), and the Health Insurance Portability and Accountability Act ("HIPPA"), all of which contain certain specific provisions with respect to the protection and privacy of personal information. For various reasons which the opinion lays out in detail, the court could not as a matter of law accept this assertion.

The sufficiency of prior enforcement actions to provide notice of appropriate conduct

Of additional interest to industry watchers is the court's refusal to accept Wyndham's position that the FTC cannot enforce consent orders or penalties for unfair practices in data security without first providing formal regulations which define the specific data security practices which are required or forbidden. Wyndham asserted that the "reasonableness" standard employed by the FTC in judging compliance provides inadequate guidance for companies to determine appropriate practices in the complex and technical areas of data security, and therefore should be replaced by formal rules which specify the appropriate practices and procedures necessary for compliance. The court disagreed with Wyndham's argument, and for now the ability of the FTC to enforce penalties without formal rule making has been upheld.

The sufficiency of factual allegations relating to breach of payment card data

The court dealt with Wyndham's contention that the FTC had not pled facts which were sufficient to sustain claims of unfair practices or of deceptive practices. In support of their first assertion, Wyndham claimed that the FTC must show "substantial injury to consumers" which is "not reasonably avoidable" by consumers themselves, but that consumer injury from theft of payment card data is never substantial and always avoidable. Due to the procedural stage of the action, the court was required to assume as true all facts alleged by the FTC and view them in the light most favorable to the FTC. Therefore, the court identified and gave deference to specific facts which the FTC alleged, which would contradict the assertion that consumers are not substantially harmed by the theft of their payment card information, because there is a very low cap on the amount of fraudulent charges for which they can be held responsible and the credit institutions absorb the remainder -- or, in most cases, all of the

fraudulent charges. Companies which deal with payment card data should understand in light of this decision that the FTC will continue to pursue breaches of consumer payment card information as substantially harmful to the consumers, even though there may be minimal showing of individual financial harm.

The potential impact on franchise business operations

The "deception" discussion of this case is of particular interest to franchise-style business organizations. Wyndham asserted that the FTC had not pled facts sufficient to support a claim of deception, because the FTC primarily made allegations concerning data security practices at Wyndham-branded hotel franchises, which are legally separate entities, each of which maintain their own computer systems and engage in their own data-collection practices. Wyndham also claimed that their privacy policy specifically excludes the branded franchise operations from Wyndham's security representations, and that such practice is consistent with accepted franchise law. The court, however, looked to certain allegations made by the FTC regarding the language in Wyndham's privacy policy, which stated in relevant part:

"We safeguard our Customers' personally identifiable information by using industry standard practices" and make "commercially reasonable efforts...consistent with all applicable laws and regulations," and "take commercially reasonable efforts to create ...other appropriate safeguards to ensure that, to the extent we control the Information, the Information is used only as authorized by us."

The court also gave deference to allegations that Wyndham was responsible for data security failures by permitting franchisee computers with unreasonable data security measures to connect with Wyndham's network, which made the security failures "attributable" to Wyndham even where the franchisees are legally separate entities and not under the actual control of Wyndham.

Summary

Unless Wyndham ultimately decides to settle with the FTC, this case could continue in litigation for years. At this early stage however, companies may consider this ruling as guidance in the following areas:

1. The FTC continues to remain the primary enforcer of general data security issues regarding U.S. consumers, and this ruling maintains that de facto standard.

2. Unless and until Congress enacts comprehensive general legislation which sets forth a more specific standard of compliance, or which requires the FTC to set forth formal rules, the "reasonableness" standard of the FTC's current jurisprudence remains the standard by which data security efforts will be judged.

3. Companies which operate in a business relationship where franchisees or other thirdparty legal entities interconnect or interoperate with their computer systems must be very careful to take appropriate steps with respect to securing their own systems from attacks originating from the third-party systems, especially in cases such as this where the franchisees are required by contract to connect with the franchisor.

4. Companies must carefully review their privacy claims and their actual data security practices to ensure that claims of "industry standard practices", "commercially reasonable efforts", and "compliance with applicable laws and regulations", which are standard terms in many policies, are backed up with defensible real-world practices.

5. Companies must understand that privacy policy terms disclaiming responsibility from the actions of third parties and franchisees may not be sufficient protection where their practices do not sufficiently protect and insulate from the bad practices of the third parties, and should carefully draft documents to protect their own liability interests and contractually secure data protection representations shifting liability to interconnected third parties where possible.

David Katz and Daniel Lumm are attorneys with Nelson Mullins Riley & Scarborough LLP. Katz is an Atlanta-based partner who focuses on regulatory compliance, consumer privacy and data security compliance, information governance, ethics, corporate governance and enterprise risk management. He may be reached at (404) 322-6122 or by email at david.katz@. You may also follow him on Twitter @KatzFDavid. Lumm is an associate in the firm's Columbia, S.C. office, and he concentrates on corporate law, contracts, technology law, and Internet and privacy law. He may be reached at (803) 2559705 or by email at daniel.lumm@.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download