Academic journal article Harvard Law Review

Administrative Law - Federal Trade Commission Act - Third Circuit Finds FTC Has Authority to Regulate Data Security and Company Had Fair Notice of Potential Liability

Academic journal article Harvard Law Review

Administrative Law - Federal Trade Commission Act - Third Circuit Finds FTC Has Authority to Regulate Data Security and Company Had Fair Notice of Potential Liability

Article excerpt

ADMINISTRATIVE LAW--FEDERAL TRADE COMMISSION ACT--THIRD CIRCUIT FINDS FTC HAS AUTHORITY TO REGULATE DATA SECURITY AND COMPANY HAD FAIR NOTICE OF POTENTIAL LIABILITY.--FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).

Many statutes authorizing regulation by executive agencies were written long before modern computer technology was invented, and even longer before hackers began exploiting weaknesses to access personal information. In the last decade, the Federal Trade Commission (FTC) has started to police companies for exposing the data they collect from consumers to the threat of breach. The Commission has primarily based this enforcement on the FTC Act (1) (FTCA), which in 15 U.S.C. [section] 45(a) prohibits "unfair ... practices in or affecting commerce. (2) This language has left the Commission vulnerable to challenge based on its scope of authority. Recently, in FTC v. Wyndham Worldwide Corp., (3) the Third Circuit held that certain data security practices could be considered "unfair" under [section] 45(a), and that the relevant provision provided Wyndham fair notice that its practices opened it up to liability. Based on the procedural posture and facts of the case, the court correctly determined that Wyndham had fair notice of its potential liability under the statute. But the court's statutory fair notice analysis illustrated a tension between effective FTC regulation of data security practices and constitutional notice requirements. Future courts facing more difficult factual circumstances will likely have to grapple with this tension in a way the Third Circuit was able to avoid.

Wyndham Worldwide, a hospitality company that franchises and manages hotels, used a property management system that processed consumer information, including names, addresses, contact information, and credit card information. (4) In 2008 and 2009, Wyndham's network and property management systems were hacked three times. (5) Hackers allegedly accessed unencrypted information for over 619,000 accounts, resulting in approximately $10.6 million in fraud loss. (6)

The FTC filed suit against Wyndham in the U.S. District Court for the District of Arizona in June 2012, claiming that the hacks were the result of unfair and deceptive practices in violation of [section] 45(a). (8) At Wyndham's request the case was transferred to the U.S. District Court for the District of New Jersey, and Wyndham filed a Rule 12(b)(6) motion to dismiss. (9) Wyndham asserted three claims: the FTC did not have authority to bring a data security unfairness claim, violated fair notice principles by bringing an unfairness claim without first promulgating formal regulations, and insufficiently pleaded its unfairness and deception claims. (10)

The district court denied the motion to dismiss. (11) In response to Wyndham's first claim, the court held that FTC authority over data security could "coexist with the existing data security regulatory scheme" (12) and was not, as Wyndham argued, analogous to the FDA's claim of authority over tobacco rejected in FDA v. Brown & Williamson Tobacco Corp. (13) As to Wyndham's second claim, the court noted that agencies generally have the discretion to regulate through adjudication or rulemaking as they see fit. (14) Although the court acknowledged the parties' dispute over the applicable standard of review, (15) it focused instead on the ability of the FTC's public statements, guidance documents, and complaints and consent decrees to provide notice. (16) Moreover, "a statutorily-defined standard exist[ed] for asserting an unfairness claim" (17)--[section] 45 requires that a practice satisfy a particular cost-benefit balancing test to be declared "unfair." (18) The court also held the FTC did not need to formally promulgate rules because the proscriptions in [section] 45 are purposefully flexible. (19) It also denied Wyndham's third claim, finding that the agency had adequately alleged substantial consumer injury that was not reasonably avoidable by the consumers themselves. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.