Antitrust and Unfair Competition Law
Competition: Fall 2014, Vol. 23, No. 2
Content
- "All Natural" Class Actions: a Plaintiff Perspective
- Appellate Courts Grapple With the Foreign Trade Antitrust Improvements Act—Plaintiffs' Perspective
- Cafa: Recent Developments On the Jurisdictional and Settlement Fronts
- Chair's Column
- Defense Perspective: "All Natural" Class Actions
- Editor's Note
- Federal and State Class Antitrust Actions Should Not Be Tried In a Single Trial
- Joint Trial of Direct and Indirect Purchaser Claims
- Masthead
- Plaintiff Perspective: the Long Arm of State Antitrust Law
- Recoveries For Violations of Federal and California Antitrust Statutes Should Not Be Apportioned
- So Your Suppliers Conspired Against You: An Antitrust Class Action Opt-out Primer
- The Ftaia Limits the Extraterritorial Reach of State Antitrust Laws
- The Misapplication of Associated General Contractors To Cartwright Act Claims
- The Problem of Duplicative Recovery Under Federal and State Antitrust Law
- Why Associated General Contractors Should Be Used To Assess Standing In Cartwright Act Cases
- Ftc V. Wyndham Worldwide Corporation, Et Al. and the Ftc's Authority To Regulate Companies' Data Security Practices
FTC V. WYNDHAM WORLDWIDE CORPORATION, ET AL. AND THE FTC’S AUTHORITY TO REGULATE COMPANIES’ DATA SECURITY PRACTICES
By Kathryn F. Russo1
I. INTRODUCTION
In a landmark decision, FTC v. Wyndham Worldwide Corp.,2 a federal court held for the first time, that the FTC has authority under Section 5 of the Federal Trade Commission Act3 to enforce the prohibition against unfair and deceptive acts or practices in the field of data security. Although the FTC has brought data security enforcement actions against companies under Section 5 for over a decade, the Wyndham decision is significant because it is the first time a federal court has held, in the face of robust opposition, that the FTC has authority under Section 5 to bring such actions. As detailed below, the FTC alleged that Wyndham’s failure to maintain reasonable data security standards violated Section 5 of the FTC Act.4 In response, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.5 The District Court denied Wyndham’s motion to dismiss and held, among other things, that (i) the FTC has authority pursuant to Section 5 of the FTC Act to assert an unfairness claim in the data security context, (ii) the FTC provided fair notice of what constitutes an unfair data security practice and is not required to issue regulations before bringing an unfairness claim, and (iii) the FTC’s complaint sufficiently plead an unfairness claim under the FTC Act.6 Because some California courts of appeal have applied the FTC’s three-prong definition of unfair, the Wyndham decision has implications on California’s Unfair Competition Law as well.
Although the District Court held that the FTC has authority under Section 5 to bring data security actions against companies, it is important to note that the Court’s opinion is in the context of a motion to dismiss. The issue as to whether there was substantial injury to consumers will need to be litigated. Additionally, the Court makes clear that its decision is not a "blank check" for the FTC to bring lawsuits against any company that has experienced a data breach. 7
[Page 164]
II. FTC V. WYNDHAM WORLDWIDE CORPORATION, ET AL.
A. The FTC’s Complaint Against Wyndham
In August of 2012, the FTC brought an action8 against Wyndham Worldwide Corporation and three of its subsidiaries pursuant to Section 5 of the FTC Act9 alleging Wyndham violated Section 5(a)’s prohibition of"acts or practices in or affecting commerce" that are "unfair" or "deceptive." The FTC alleges that Wyndham’s failure to maintain reasonable and appropriate data security standards for consumers’ sensitive personal information allowed hackers to gain unauthorized access to Wyndham’s computer networks on three occasions and resulted in "more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia."10 Specifically, the FTC alleges that Wyndham (a) failed to use firewalls; (b) stored payment card information in clear readable text; (c) failed to implement adequate information security policies and procedures; (d) failed to remedy known security vulnerabilities; (e) used default user IDs and passwords; (f) did not require the use of complex passwords; (g) failed to adequately inventory computers; (h) failed to employ reasonable measures to detect and prevent unauthorized access to computer networks; (i) failed to follow proper incident response procedures; and (j) failed to adequately restrict third-party vendors’ access to Wyndham’s network.11 The FTC alleges that taken together, such data security failures unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.12 Further, the FTC argues that such unreasonable exposure has caused and is likely to cause substantial injury to consumers and businesses.13 For example, the FTC states that consumers and businesses suffered financial injury including, "unreimbursed fraudulent charges, increased costs, and lost access to funds or credit."14 Based on Wyndham’s alleged unfair and deceptive acts and practices in violation of Section 5, the FTC requests the Court enter a permanent injunction and grant other relief the Court deems proper.15
B. Wyndham’s Motion to Dismiss
In response to the FTC’s complaint, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.16
[Page 165]
First, Wyndham argues that the FTC’s unfairness authority under Section 5 of the FTC Act does not extend to the regulation of data security practices of private companies.17 Wyndham equates the FTC’s action with FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000).18 In Brown & Williamson, the U.S. Supreme Court held that Congress did not grant the FDA jurisdiction to regulate tobacco products and stated, "if tobacco products were within the FDA’s jurisdiction, the Act would require the FDA to remove them from the market entirely. But a ban would contradict Congress’ clear intent as expressed in its more recent, tobacco-specific legislation."19 Wyndham contends that akin to Brown & Williamson, since the enactment of the FTC Act, Congress has "settled on ‘a less extensive regulatory scheme’ and passed narrowly tailored legislation."20 Wyndham cites various laws including the Fair Credit Reporting Act ("FCRA"), the Gramm-Leach-Bliley Act ("GLBA"), the Children’s Online Privacy Protection Act ("COPPA"), and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") as evidence that the FTC lacks general authority under Section 5 to regulate data security practices.21 Additionally, Wyndham argues that in light of pending cybersecurity legislation and the "important economic and political considerations involved in establishing data-security standards for the private sector…it defies common sense to think that Congress would have delegated that responsibility to the FTC …."22 Further, Wyndham contends that like the FDA in Brown & Williamson, the FTC disclaimed its authority to regulate data security under its Section 5 unfairness authority the FTC would have to promulgate data security rules before holding Wyndham liable for any violations of Section 5 related to data security. on various occasions.23
Second, Wyndham argues that even if the FTC has authority under Section 5 of the FTC Act to regulate data security standards for private companies, Wyndham cannot be held liable because the FTC did not provide fair notice of what Section 5 requires.24 Wyndham argues that fair notice requires the FTC to publish data security rules and regulations establishing guidance and performance measures for companies to follow.25 Wyndham states, "[b]ecause the FTC has not published any rules, regulations, or other guidelines explaining what data-security practices the Commission believes Section 5 to forbid or require, it would violate basic principles of fair notice and due process to hold [Wyndham] liable in this case."26 Additionally, Wyndham argues that agencies in general "cannot use enforcement actions simultaneously to make new rules and to hold a party liable for violating the newly announced rule."27 In sum, Wyndham argues that
[Page 166]
Third, Wyndham argues that Section 5 does not govern the security of payment card data.28 Pursuant to Section 5, an act or practice is unfair if the act or practice "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."29 Wyndham argues that consumer injury from the theft of payment card data is "never substantial and always avoidable" because federal law limits a consumer’s liability for unauthorized use of payment card data to $50 and all major credit card brands waive liability for any unauthorized charges.30 Wyndham argues that because the injury posed by the theft of payment card data is not substantial and is reasonably avoidable by consumers themselves, the FTC cannot meet the unfairness requirements under Section 5 in its current action.
C. The District Court’s Order Denying Wyndham’s Motion to Dismiss
On April 7, 2014, the United States District Court for the District of New Jersey denied Wyndham’s motion to dismiss and held, among other things, that (i) the FTC has authority pursuant to Section 5 of the FTC Act to assert an unfairness claim in the data security context, (ii) the FTC provided fair notice of what constitutes an unfair data security practice and is not required to issue regulations before bringing an unfairness claim, and (iii) the FTC’s complaint sufficiently plead an unfairness claim under the FTC Act.31
First, the Court rejects Wyndham’s claim that this case is analogous to Brown & Williamson.32 The Court states that unlike in Brown & Williamson, where Congress acted to preclude the FDA from exercising its authority in the area of tobacco products, "[h]ere, subsequent data-security legislation seems to complement—not preclude—the FTC’s authority."33 The Court states that statutes such as the FCRA, GLBA, and COPPA grant the FTC tools in addition to its authority under Section 5.34 Indeed, the Court states, "the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme."35 Further, the Court analyzed the statements put forth by Wyndham as evidence that the FTC disclaimed its authority to regulate data security. Following an analysis of these statements, the Court made clear that it was "not convinced" that these statements made by the FTC "equate to a resolute, unequivocal position under Brown & Williamson that the FTC has no authority to bring any unfairness claim involving data security."36 The Court, guided by precedent, rejects Wyndham’s arguments and concludes that the FTC has authority pursuant to Section 5 to assert an unfairness claim in the data security context.
[Page 167]
Second, the Court rejects Wyndham’s claim that fair notice requires the FTC to formally issue rules and regulations before it can file an unfairness claim in the data security context.37 The Court states, "Circuit Courts of Appeal have affirmed FTC unfairness actions in a variety of contexts without preexisting rules or regulations specifically addressing the conduct-at-issue."38 Additionally, the Court states that requiring the FTC to publish rules and regulations before bringing an enforcement action would "require the Court to sidestep long-standing precedent," including the Third Circuit’s affirmation that the FTC has discretion as to whether it pursues ad hoc litigation or regulation.39 Further, the Court states that it is not persuaded by Wyndham’s argument that regulations are the only means of providing sufficient fair notice, and cites Section 5’s three-prong test that defines what constitutes an unfair act or practice.40 The Court also points to the FTC’s "many public complaints and consent agreements" as a "body of experience and informed judgment to which courts and litigants may properly resort for guidance."41 The Court concludes that accepting Wyndham’s argument that the FTC must promulgate rules and regulations before bringing unfairness actions is untenable and would produce a result that is "in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act."42
Third, the Court held that the FTC’s complaint sufficiently pleads an unfairness claim under the FTC Act.43 An act or practice is unfair if it (1) "causes or is likely to cause substantial injury to consumers," (2) "which is not reasonably avoidable by consumers themselves," and (3) is "not outweighed by countervailing benefits to consumers or to competition."44 The Court found that the FTC adequately pleads the "substantial injury" requirement because the FTC alleges that some consumers suffered financial injury.45 Additionally, the Court found that the FTC adequately pleads the alleged substantial injury was "not reasonably avoidable" and stated that this issue is fact-dependent.46
D. Wyndham’s Interlocutory Appeal to the Third Circuit
Following the District Court’s Order denying Wyndham’s motion to dismiss, Wyndham immediately filed a motion to certify the Order for interlocutory appeal to
[Page 168]
the Third Circuit.47 The District Court, noting the "novelty of liability issues relating to data-security breaches" and "the nationwide significance of the issues," granted Wyndham’s request for interlocutory appeal.48 The District Court certified the following two questions to the Third Circuit: (1) Whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act; and (2) Whether the FTC must formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.49 If the District Court is reversed as to either of these controlling questions of law, the trial will be limited to the FTC’s deception count.50
III. IMPLICATIONS OF THE WYNDHAM DECISION AND FUTURE HURDLES
A. Implications of Wyndham on California’s Unfair Competition Law
Under California’s unfair competition law, any "unlawful, unfair or fraudulent business act or practice" is prohibited.51 There is a three-way split among the courts as to what definition of "unfair" should be applied in consumer cases.52 Some California courts of appeal have applied the FTC’s three-prong definition of unfair.53 The District Court’s recent decision denying Wyndham’s motion to dismiss therefore has implications on the UCL. The Court held that the FTC’s complaint sufficiently plead the unfairness claim under the FTC Act pursuant to its three-prong test.54 A California court applying the FTC’s three-prong definition of unfair will likely look to the Wyndham decision regarding whether a plaintiff has sufficiently plead an unfairness claim.
B. Wyndham and Showing Substantial Injury to Consumers
It is important to note that the Court’s opinion is in the context of a motion to dismiss. As the case progresses the FTC will have to show evidence of substantial injury to consumers. Although in most cases substantial injury to consumers involves monetary harm, unwarranted safety risks may also support a finding of unfairness.55 Further, "[a]n injury may be sufficiently substantial … if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm."56
[Page 169]
Historically, showing financial harm to consumers has been the most difficult hurdle for plaintiffs to overcome in data privacy and security cases. Although outside of the data security context, a recent decision by the California Court of Appeal, Heller v. Ralph’s Grocery Co.,57 illustrates the difficulty plaintiff’s face showing economic injury resulting from a company’s data privacy practices. In Ralph’s, the plaintiff, Heller, sued Ralph’s Grocery Company for unfair competition based on violations of the Supermarket Club Card Disclosure Act of 19 9 9,58 by "selling and/or sharing its customers’ personal identification information without their consent."59 Heller argued, among other things, that he and his class members had suffered economic damages because "had they known that Ralphs was sharing their personal information and purchases with third parties in violation of the Club Card Act" they "would not have applied for a Ralphs rewards card and/or would not have shopped at Ralphs grocery stores and/or would not have purchased as many items from Ralphs grocery stores."60 Heller relied on Kwikset Corp. v. Superior Court,61 in which the California Supreme Court held that "plaintiffs who can truthfully allege they were deceived by a product’s label into spending money to purchase the product, and would not have purchased it otherwise, have ‘lost money or property’ … and have standing to sue."62 Although it seems that Kwikset should apply in the Ralph’s case, the Court held that Heller lacked standing to sue and stated that Heller’s reliance on Kwikset was "misplaced."63 The Court stated that unlike the plaintiff in Kwikset, Heller does not allege "that any product Heller purchased at Ralphs was not as represented, and Heller paid nothing for the reward card itself, there is no nexus between Ralph’s alleged unfair business practice (using Heller’s personal information) and the money he paid for the products."64 Even though the Court in Ralphs held that Heller did not have standing to sue, this case is unpublished and other courts may apply the reasoning in Kwikset to cases similar to the Ralph’s case. A strong argument could be made that the Court in Ralphs applied too narrow a notion of injury. The sharing of a customer’s personal information in violation of the Club Card Act could compromise the safety and security of such personal data. It is plausible that a customer would not apply for a rewards card or shop at a business that shares its customers’ personal information without permission.
IV. CONCLUSION
The Wyndham decision is significant because it is the first time a federal court has held that the FTC has authority under Section 5 to bring data security actions against companies. However, it is important to note that the Court’s opinion is in the context of a motion to dismiss and going forward the FTC will have to show evidence of substantial injury to consumers. Further, the Court makes clear that "this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked."65Even so, this decision emphasizes the FTC’s role as a leading enforcement authority of data security practices and could set the stage for additional lawsuits and encourage further actions against companies.
[Page 170]
——–
Notes:
1. Kathryn F. Russo is the Deputy General Counsel and an Associate at Goldberg, Lowenstein & Weatherwax LLP in Los Angeles. The opinions set forth in this article are hers alone and do not necessarily reflect the positions of the firm or its clients.
2. FTC v. Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 (D. N.J. April 7, 2014).
3. 15 U.S.C. § 45(a)(1).
4. Federal Trade Commission v. Wyndham Worldwide Corporation, et al., First Amended Complaint for Injunctive and Other Equitable Relief (D. Ariz. Aug. 9, 2012) ("Wyndham Complaint").
5. Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Motion to Dismiss by Defendant Wyndham Hotels & Resorts LLC (D. N.J. Apr. 26, 2013) ("Wyndham Motion to Dismiss").
6. See 2014 U.S. Dist. LEXIS 47622.
7. 2014 U.S. Dist. LEXIS 47622 at * 11
8. See Wyndham Complaint.
9. 15 U.S.C. § 45(a).
10. Wyndham Complaint ¶ 2.
11. Id. ¶ 24.
12. Id.
13. Id. ¶ 40.
14. Id.
15. Id. at p. 20.
16. See Wyndham Motion to Dismiss.
17. Id. at 7.
18. Id. at 7-8, 14.
19. FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 143 (2000).
20. Wyndham Motion to Dismiss at 14.
21. Id. at 9.
22. Id. at 13.
23. Id. at 10.
24. Id. at 14.
25. Id. at 15.
26. Id.
27. Id.
28. Id. at 19.
29. 15 U.S.C. § 45(n).
30. Wyndham Motion to Dismiss at 19.
31. See 2014 U.S. Dist. LEXIS 47622.
32. Id. at *16.
33. Id. at *18-19.
34. Id. at *19.
35. Id. at *19-20.
36. Id. at *23.
37. Id. at *31.
38. Id. at *33.
39. Id. at *36.
40. Id. at *38; See 15 U.S.C. § 45(n).
41. 2014 U.S. Dist. LEXIS 47622 at *41-42.
42. Id. at *43.
43. Id. at *45.
44. 15 U.S.C. § 45(n).
45. 2014 U.S. Dist. LEXIS 47622 at *47.
46. Id. at *54-55.
47. Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Defendant’s Notice of Motion to Certify Order Denying Motion to Dismiss for Interlocutory Appeal (D. N.J. April 17, 2014).
48. Federal Trade Commission v. Wyndham Worldwide Corporation, et al., Memorandum Opinion and Order (D. N.J. June 23, 2014) ("Interlocutory Appeal Order").
49. Interlocutory Appeal Order at 9-10.
50. Id. at 8.
51. Cal. Bus. & Prof. Code § 17200 et seq.
52. See Durell v. Sharp Healthcare, 183 Cal. App. 4th 1350, 1364 (2010); Morgan v. AT&T Wireless Servs. Inc., 177 Cal. App. 4th 1235, 1254-55 (2009); Klein v. Chevron U.S.A., Inc., 202 Cal. App. 4th 1342, 1376 (2012).
53. See Klein v. Chevron U.S.A., Inc., 202 Cal. App. 4th at 1376.
54. See 2014 U.S. Dist. LEXIS 47622 at *45.
55. See FTC Policy Statement on Unfairness, appended to Int’l Harvester Co., 104 F.T.C. 949, 1070 (1984), available at http://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
56. Id.
57. Heller v. Ralph’s Grocery Co., 2014 Cal. App. Unpub. LEXIS 4527 (June 23, 2014).
58. Cal. Civ. Code § 1749.60-1749.66.
59. See Heller v. Ralph’s Grocery Co at *1.
60. Id. at *3-4.
61. Kwikset Corp. v. Superior Court, 51 Cal. 4th 310 (2011).
62. Id. at 317.
63. Heller v. Ralph’s Grocery Co. at *9.
64. Id. at *11.