Antitrust and Consumer Protection
Competition: Fall 2014, Vol. 23, No. 2
Content
- "All Natural" Class Actions: a Plaintiff Perspective
- Appellate Courts Grapple With the Foreign Trade Antitrust Improvements Act—Plaintiffs' Perspective
- Cafa: Recent Developments On the Jurisdictional and Settlement Fronts
- Chair's Column
- Defense Perspective: "All Natural" Class Actions
- Editor's Note
- Federal and State Class Antitrust Actions Should Not Be Tried In a Single Trial
- Joint Trial of Direct and Indirect Purchaser Claims
- Masthead
- Plaintiff Perspective: the Long Arm of State Antitrust Law
- Recoveries For Violations of Federal and California Antitrust Statutes Should Not Be Apportioned
- So Your Suppliers Conspired Against You: An Antitrust Class Action Opt-out Primer
- The Ftaia Limits the Extraterritorial Reach of State Antitrust Laws
- The Misapplication of Associated General Contractors To Cartwright Act Claims
- The Problem of Duplicative Recovery Under Federal and State Antitrust Law
- Why Associated General Contractors Should Be Used To Assess Standing In Cartwright Act Cases
- Ftc V. Wyndham Worldwide Corporation, Et Al. and the Ftc's Authority To Regulate Companies' Data Security Practices
FTC V. WYNDHAM WORLDWIDE CORPORATION, ET AL. AND THE FTC’S AUTHORITY TO REGULATE COMPANIES’ DATA SECURITY PRACTICES
By Kathryn F. Russo1
I. INTRODUCTION
In a landmark decision, FTC v. Wyndham Worldwide Corp.,2 a federal court held for the first time, that the FTC has authority under Section 5 of the Federal Trade Commission Act3 to enforce the prohibition against unfair and deceptive acts or practices in the field of data security. Although the FTC has brought data security enforcement actions against companies under Section 5 for over a decade, the Wyndham decision is significant because it is the first time a federal court has held, in the face of robust opposition, that the FTC has authority under Section 5 to bring such actions. As detailed below, the FTC alleged that Wyndham’s failure to maintain reasonable data security standards violated Section 5 of the FTC Act.4 In response, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.5 The District Court denied Wyndham’s motion to dismiss and held, among other things, that (i) the FTC has authority pursuant to Section 5 of the FTC Act to assert an unfairness claim in the data security context, (ii) the FTC provided fair notice of what constitutes an unfair data security practice and is not required to issue regulations before bringing an unfairness claim, and (iii) the FTC’s complaint sufficiently plead an unfairness claim under the FTC Act.6 Because some California courts of appeal have applied the FTC’s three-prong definition of unfair, the Wyndham decision has implications on California’s Unfair Competition Law as well.
Although the District Court held that the FTC has authority under Section 5 to bring data security actions against companies, it is important to note that the Court’s opinion is in the context of a motion to dismiss. The issue as to whether there was substantial injury to consumers will need to be litigated. Additionally, the Court makes clear that its decision is not a "blank check" for the FTC to bring lawsuits against any company that has experienced a data breach. 7