Wyndham lawsuit tests FTC's data security enforcement authority

Federal judge in N.J. this week let Chamber of Commerce and others file motion to dismiss suit

1 2 Page 2
Page 2 of 2

That motion noted that the FTC's data security enforcement actions harken back to its overzealous use of the unfair and deceptive practices provisions to pursue other perceived business misdeeds in the past. The agency's past enforcement excesses using Section 5 led to Congress imposing restrictions on its authority in 1994, the Chamber argued.

"Despite these acknowledged statutory constraints, carefully calibrated by Congress in response to years of agency overreaching, the FTC again is attempting to use Section5 inappropriately," the Chamber said.

Berin Szoka, president of TechFreedom, said the case is important because it's the first time since the FTC began its data breach enforcement actions nine years ago that any company had challenged its enforcement authority.

All of the 41 companies hit with FTC lawsuits so far have quietly acquiesced to its settlement terms for fear of attracting more attention and trouble, Szoka said. When confronted with the choice of settling a case or going through a long and potentially costly investigative and discovery process, companies tended to choose the former, he noted.

"The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law," he said. Even so, it has not established any such law through its enforcement actions, he said.

"Here, all you have to go on are these 41 enforcement actions where the FTC has convinced companies to settle out of court with no adjudication. The courts have never signed off and said we think this is the proper interpretation," Szoka said.

As a result, companies have little information to guide them on what exactly constitutes reasonable care, deception and unfair practices in the FTC's eyes, he said.

Chris Hoofnagle, director of information privacy programs at the University of California Berkeley Center for Law & Technology, described the dismissal efforts as a "Hail Mary effort to stop the FTC from enforcing its unfairness power.

"For decades, long before the FTC became involved in privacy, business groups have tried to cabin the FTC so that it can only enforce wrongs that were addressable by the common law," Hoofnagle said in emailed comments to Computerworld.

In an amicus brief supporting the FTC's position, Hoofnagle noted that the agency's enforcement actions have served as the only effective means of holding companies accountable for failing to protect data entrusted to them by consumers.

Although consumers can suffer substantial harm from a data breach, federal courts have been reluctant to recognize private tort action against breached entities. So the FTC enforcement actions have been the primary protection for consumers, he said.

"Congress, in creating the FTC and in empowering it to police unfair and deceptive trade practices, explicitly gave the agency power to determine what is unfair and deceptive." Trying to make the FTC an entity that can only enforce common law defeats the purpose for which it was created, Hoofnagle said. "[It] raises a basic question: Why have the FTC at all?"

FTC officials could not be reached immediately for comment on the case.

This article, Wyndham lawsuit tests FTCs data security enforcement authority, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.


Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon