The FTC’s complaint asserts violations of Section 5 of the Federal Trade Commission Act, which prohibits “unfair and deceptive acts or practices.” Wyndham moved to dismiss the lawsuit on three separate grounds, each of which the district court rejected.
No Congressional Preemption
Wyndham first argued that the FTC’s unfairness authority does not extend to data security. According to Wyndham, Congress fully occupied the field to the FTC’s exclusion by passing more narrowly tailored data-security legislation. Wyndham also contended that the FTC had disclaimed authority to regulate data security under Section 5, much like the FDA’s disclaimers over tobacco regulation in FDA v. Brown & Williamson Tobacco Corporation.
The court rejected these arguments. It distinguished Brown & Williamson because Congress’s data-security legislation, in its view, “seems to compliment—not preclude—the FTC’s authority.” Echoing earlier decisions that recognize a broad grant of authority under Section 5 of the FTC Act, the court found that “the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.”
Fair Notice Argument Rejected
Wyndham next argued that it had been deprived of fair notice because the FTC failed to promulgate rules or regulations “explaining what data-security practices the Commission believes Section 5 to forbid or require” prior to bringing its unfairness claim.
In rejecting this argument, the court noted long-standing precedent allowing Section 5 unfairness actions without preexisting rules or regulations. Indeed, courts have held that administrative agencies often have the option of enforcing similar prohibitions through individual enforcement actions instead of broad rulemaking. “[T]he contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations.’”
The court found it would be simply “untenable” to require the FTC to impose particularized, proscribing regulations before bringing unfairness enforcement actions—“a result,” the court said, “that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”
“Allowing that sort of flexibility in the dynamic arena of data security and privacy protection may be necessary,” says Stephen J. Siegel, Chicago, IL, cochair of the ABA Section of Litigation’s Commercial & Business Litigation Committee. “That said,” Siegel cautions, “many have expressed unease with the Commission bypassing rule-making processes to effectively develop a ‘common law’ of data security rules primarily by using complaints and private settlements.”
Claims Sufficiently Plead
Wyndham’s final argument challenged the particularity with which the FTC pled its unfairness and deception claims. First, Wyndham argued that the existence of caps on consumer liability for fraudulent payment card charges prevents any individual consumer’s injury from rising to the level of “substantial,” as required by Section 5. For purposes of ruling on the motion to dismiss, however, the court deferred to the FTC’s allegation to the contrary. What is more, the court noted, prior decisions have found injuries to be “substantial” when a small harm had been inflicted on a sufficiently large number of people.
Even so, Section 5 liability will not exist if the injuries were reasonably avoidable by affected consumers. Wyndham asserted that its guests could easily avoid financial injury simply by having their banks rescind the fraudulent charges. The court demurred on this point, finding it better suited for resolution on the merits. “It is important to note that the court didn’t deny that actual injury must be shown,” says Scott F. Bertschi, Atlanta, GA, cochair of the Section’s Professional Liability Litigation Committee. “Presumably, the FTC will be required to show some specific evidence of a causal linkage at the summary judgment stage.”
Edward A. Marshall, Atlanta, GA , cochair of the Payment Systems Subcommittee of the Section’s Commercial & Business Litigation Committee, wonders whether FTC actions like this are “an unwarranted government ‘pile on.’” Marshall notes that, in addition to the reputational harm and data breach response costs that hacked companies incur, “many of these merchants may be subject to significant liability assessments by the card networks, such as Visa and MasterCard, if the data breach resulted from a lack of fidelity to PCI data security standards.”
Though clearly broad in scope, the court tempered its ruling with a warning that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” The check it has written thus far, though, appears fairly large indeed.
Wyndham has moved the district court to certify its order for interlocutory appeal.
Henry R. Chalmers is an associate editor for Litigation News.