Whether the Federal Trade Commission Has the Authority Under Section 5 of the FTC Act to Bring an Enforcement Action Against a Company Whose Failure to Protect Sensitive Data Has Resulted in Financial Harm to Consumers
The Federal Trade Commission sued a global hotel company for failing to adequately safeguard its computer network, allowing hackers to access customer information. The company now argues that the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC’s favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC’s data protection authority.
Listen to the March 3, 2015 oral argument:
The Federal Trade Commission (FTC) filed suit in federal district court against global hotel company Wyndham Worldwide Corporation and its subsidiaries (collectively, “Wyndham”) for failing to maintain reasonable and appropriate data security practices for sensitive customer data. Wyndham’s data security practices, allege the FTC, are deceptive and unfair acts prohibited by Section 5 of the FTC Act. The Commission alleges that, at least since 2008, Wyndham engaged in a number of practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” According to the complaint, these practices include:
- failure to use readily available security measures, such as firewalls;
- storage of credit card information in clear text;
- failure to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
- failure to address known security vulnerabilities on servers;
- use of default user names and passwords for access to servers;
- failure to require employees to use complex user IDs and passwords to access company servers;
- failure to inventory computers to appropriately manage the network;
- failure to maintain reasonable security measures to monitor unauthorized computer access;
- failure to conduct security investigations; and
- failure to reasonably limit third-party access to company networks and computers.
According to the FTC, these deficient security practices led to three unauthorized intrusions between 2008 and 2010. These intrusions allegedly caused “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
An unfair act under Section 5 are those that “cause or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Wyndham’s Challenge to the FTC’s Data Security Authority
Wyndham moved to dismiss the FTC’s suit. In its motion, the company challenged the FTC’s data security authority under the unfairness prong of Section 5. The unfairness prong authorizes the FTC to prohibit acts that cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition. Wyndham did not argue that the text or legislative history of Section 5 precluded the FTC from regulating data security. Rather, the company argued that by adopting targeted data security legislation, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act, Congress has settled on “a less extensive regulatory scheme.” This scheme, argued the company, would be rendered superfluous if the FTC is allowed to impose general data security standards under its Section 5 authority.
Wyndham further argued that the FTC has disclaimed authority to regulate data security practices. The company contends that like the FDA’s disclaimers over tobacco regulation in FDA v. Brown & Williamson Tobacco Corp., the FTC made public statements between 1998 and 2001 in which it disclaimed authority to regulate data security.
The district court rejected Wyndham’s arguments and denied the company’s motion to dismiss. First, it concluded that Brown & Williamson is distinguishable. In Brown & Williamson, the U.S. Supreme Court held that Congress, through the Food, Drug, and Cosmetic Act, had precluded the Food and Drug Administration’s (FDA) jurisdiction over tobacco products. To conclude otherwise, reasoned the Court, would require the FDA to remove tobacco products from the market entirely, which would “plainly contradict congressional policy.” The district court stated that no such contradiction exists with the FTC and data security jurisdiction. Instead, the court concluded that data security legislation was intended “to complement—not preclude—the FTC’s authority.”
Second, the court rejected Wyndham’s contention that the FTC disclaimed authority over data security. Unlike the FDA in Brown & Williamson, the FTC did not take a “plain and resolute position” that it lacked jurisdiction to regulate a particular area. The court concluded that the three statements put forth by Wyndham, did not amount to a disclaimer of authority by the FTC. Also relevant was the fact that the FTC brought several unfairness actions involving data security after the statements in question were made. On a related point, the court rejected Wyndham’s contention that because the FTC never affirmatively declared its authority over data security, the agency cannot assert it. The court rejected the argument finding no legal basis to support the conclusion.
Wyndham also argued that, even if Section 5 grants the FTC data security authority, it would violate principles of fair notice and due process to hold the company liable. Wyndham contends that the FTC failed to adequately notify companies through “rules, regulations, or other guidelines” as to acceptable data security standards. In essence, Wyndham argued that before bringing an unfairness action under Section 5, the FTC must publish rules and regulations. The district court rejected this argument stating such a proposition “would necessarily require the Court to sidestep long-standing precedent . . . that suggests precisely the opposite . . . .”
There are three aspects of the FTC v. Wyndham case that are especially significant to EPIC’s mission and its consumer privacy work: (1) Wyndham is challenging the FTC’s authority to bring enforcement actions for consumer data breaches under Section 5, and EPIC frequently calls on the FTC to bring enforcement actions against companies that violate consumer privacy; (2) data breaches are an area of major concern for consumers, and EPIC’s mission is to advocate for strong consumer privacy protections; and (3) as an expert on both consumer privacy and security issues, EPIC is uniquely qualified to outline the data security standards that should be followed by all companies.
EPIC advocates on behalf of Internet users before the FTC, and frequently files complaints based on the unfair and deceptive practices of companies who handle sensitive user data. As a result of these and other complaints, the FTC has brought a number of important enforcement actions against companies for violations of Section 5. EPIC has also argued that the FTC needs to more aggressively enforce its consent decrees in order to ensure the protection of consumer privacy rights. The FTC plays an important role as privacy regulator in the United States, though EPIC has argued in the past that Congress should provide for more comprehensive data protection regulations under the Consumer Privacy Bill of Rights.
EPIC has filed important data-security-related complaints with the FTC, many of which have led to enforcement actions by the agency:
- In re Snapchat (2013) – Failure to Securely Delete User Images
- EPIC filed an FTC complaint against Snapchat on May 16, 2013, alleging that the app company violated Section 5 when it failed to securely delete its users photos, videos, and messages. Snapchat is a mobile photo-sharing application that claimed to allow users to take photos and videos that would self-destruct permanently after the recipient viewed them. However, Snapchat images were not actually deleted from users’ phones, the appmerely changed the file extension to .NOMEDIA, cloaking the file from the user. The files could be easily recovered from the phone’s memory.
- On May 8, 2014, less than a year after EPIC filed the complaint, the FTC entered into a consent order and proposed settlement agreement with Snapchat over its alleged violations of Section 5. Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies.
- In re Scholarships.com (2013) – Disclosure of Student Health Data
- EPIC filed an FTC complaint against Scholarships.com on December 12, 2013, alleging that the company had failed to properly protect sensitive student data, and that it’s disclosure of sensitive student health information was an unfair trade practice. Scholarships.com is a web service used by students seeking financial aid and scholarship opportunities. In order to use the service, Scholarships.com requires that students disclose sensitive personal information, including personal health history. EPIC’s complaint alleged that Scholarships.com transfers this data to an affiliate marketing company, who then sells the data to third parties. EPIC’s complaint also alleged that Scholarships.com failed to use reasonable data security practices to protect the sensitive information that it was gathering.
- Following EPIC’s complaint, Scholarships.com updated their website to provide for encrypted connections. EPIC received a letter from the company disclaiming liability, but also reassuring EPIC that Scholarships.com had begun to use HTTPS protocols.
- In re Choicepoint (2004) – Consumer Data Breaches
- EPIC filed an FTC complaint against Choicepiont in December 2004, alleging that the data broker had sold the personal data of hundreds of thousands of consumers to identity thieves, resulting in significant financial harm. EPIC subsequently urged the company to make provide victims with access to their data that was disclosed to criminal organizations. The next month, EPIC testified before the California Senate Banking, Finance and Insurance Committee, which was investigating the Choicepoint breaches.
- In January 2006, the FTC brought an action against Choicepoint seeking $15 million in civil penalties and renumeration to the victims of the security breach. The FTC also prohibited Choicepoint from deceiving consumers as to the security of their personal information.
EPIC has also written extensively on the data security implications raised by the collection and storage of sensitive consumer information. In April 2014 comments to the White House, EPIC pointed to the massive data breaches at Target, Adobe, and LivingSocial, which affected millions of consumers, to illustrate the enormous risk of inadequate data security practices. A May 2014 report found that half of American adults’ data had been hacked in the last year. In addition to the breaches listed above, Neiman Marcus, Michaels, eBay, Home Depot, multiple health care providers, and J.P. Morgan all suffered massive breaches that exposed consumers to substantial financial harm, including identity theft and credit card fraud.
Although data breaches may be a recent phenomenon, business’ obligation to secure consumer data has not changed. As Ed Felten, EPIC Advisory Board Member and the FTC’s first chief technologist has noted, “[t]he FTC has established a principle that companies have a responsibility to protect consumers’ private data . . . . The challenge there is to understand how to apply that across different technologies.”
EPIC has previously taken a stand against the insecure handling of sensitive consumer information. For example, in 2011, EPIC filed an amicus curiae brief in the U.S. Supreme Court in Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011). In Sorrell, the Court considered whether Vermont’s prescription privacy law, which would have barred disclosure of prescription data for marketing purposes, violated the First Amendment rights of health data firms. In its brief, EPIC argued that patient records were at risk of being identified because the “cryptographic technique used to conceal the identity of the patients is inadequate.”
U.S Court of Appeals for the Third Circuit (No. 14-3514)
- Memorandum Opinion (Aug. 24, 2015)
- FTC’s Supplemental Brief (Mar. 30, 2015)
- Wyndham’s Supplemental Brief (Mar. 30, 2015)
- Oral Argument Transcript
- Wyndham’s Opening Brief (Oct. 6, 2014)
- Amicus Briefs in Support of Wyndham
- FTC’s Brief (Nov. 5, 2014)
- Amicus Briefs in Support of the FTC
- Wyndham’s Reply Brief (Dec. 8, 2014)
District Court for the District of New Jersey, (No. 13-1887)
- Order of Designation for Mediation (Nov. 18, 2014)
- Opinion Denying Wyndham’s Motion to Dismiss (April 7, 2014)
- FTC’s Opposition to Motion to Dismiss (June 27, 2013)
- Wyndham’s Motion to Dismiss (Aug. 27, 2012)
- First Amended Complaint for Injunctive and Other Equitable Relief (Aug. 9, 2012)
- FCC v. Fox Television Stations, Inc., 132 S. Ct. 2307 (2012)
- Brown & Williamson Tobacco Corp. v. FDA, 153 F.3d 155 (2000)