In the News Law360

Wyndham Data Security Suit Could Hamper FTC Enforcement

Wyndham Hotel & Resorts LLC on Monday shot back at the Federal Trade Commission's allegations that it failed to adequately secure guests' personal information, contending that the commission lacks the authority to regulate private companies' data security practices — an argument that, if upheld, would hamper the agency's ability to bring and settle privacy actions, according to attorneys.

In its motion to dismiss the FTC's case in Arizona federal court, Wyndham asserted that the agency overstepped its statutory authority in claiming that the company violated Section 5 of the FTC Act by failing to employ "reasonable and appropriate" data security measures to protect personal information against unauthorized access.

If the court adopts Wyndham's arguments in the case — which has the potential to be the first fully litigated privacy case under Section 5 — the agency's increasingly common practice of pushing companies into settlements over their allegedly unfair and deceptive privacy practices would suffer a crippling blow, according to attorneys.

"The FTC has put a lot at risk here by pushing this suit against Wyndham," Morgan Lewis & Bockius LLP partner Gregory Parks told Law360 on Tuesday. "If the FTC loses the Wyndham case, the agency will lose some of its ability to bring lawsuits over unfair data security practices, and the threat of litigation that backs up its requests to settle most of its enforcement actions won't be as forceful."

While Section 5 permits the agency to bring enforcement against companies that make "deceptive" statements to consumers, the statute's prohibition on "unfair" trade practices — which has traditionally been read to prohibit certain "unconscionable or oppressive acts" toward consumers — does not allow the agency to establish data security standards for the private sector and enforce those standards in federal court, according to the company's motion.

"This case is a classic example of agency overreaching," the motion said. "Nothing in the text or history of Section 5 purports to give the commission the authority to decide whether data security protections are 'unfair,' 'reasonable' or 'appropriate,' and Congress' repeated enactment of specific data security statutes (and failed attempts to enact comprehensive data security laws) confirm that the statute cannot be construed so broadly."

Even if Section 5 could be construed to give the FTC authority over some aspects of data security, the statute "clearly cannot be stretched so far" as to authorize the agency to regulate the security of consumer payment card data because consumers have the ability to avoid any financial injury stemming from inadequate security by having their issuer rescind any unauthorized charges, the motion added.

Hunton & Williams LLP global privacy and data security practice head Lisa Sotto said the outcome of the Wyndham case would have serious ramifications for the future of FTC privacy enforcement actions, "particularly the question of whether most companies will simply settle the actions, as historically has been the case, or choose to challenge these actions."

"The FTC has had the luxury for over a decade of settling virtually every privacy enforcement action and doing so nearly entirely on its own terms," she said. "With this case, the agency will need to justify its legal position in a court of law."

These previous settlements, many of which were approved by federal courts, could ultimately help the FTC's position because they recognize that the agency has the power to bring unfair data security practices claims, according to Hogan Lovells privacy and information management practice group director Christopher Wolf, who called Wyndham's motion a bold move in light of these previous pacts.

Nevertheless, Parks said Wyndham had a "really strong argument that the FTC is trying to push beyond the bounds" of its existing regulatory authority, especially considering that the agency has repeatedly called on Congress to enact legislation that would require companies to maintain reasonable data security procedures and give the agency the power to enforce these standards.

"It's significant that the FTC is trying to regulate in an area in which Congress has declined to legislate," he said. "The agency is seeking to enforce something that it wishes it had the legislative authority to do, but it just doesn't."

Wyndham relied heavily on this point in its dismissal motion, noting that the FTC currently has the authority to regulate data security standards in "certain specific, limited contexts" under existing statutes such as the Fair Credit Reporting Act, the Children's Online Privacy Protection Act and the Gramm-Leach-Bliley Act.

"By delegating certain limited authority to the FTC, Congress has foreclosed any interpretation of Section 5 that would give the commission overarching authority to set data security standards for the private sector," the motion said. "If Section 5's prohibition on 'unfair' practices grants the FTC the broad authority it claims in this case, then those statutes would have been entirely superfluous."

Moving forward, the FTC should still be able to use its Section 5 authority to police companies' privacy promises, Parks noted, adding that the agency's claim that Wyndham deceived consumers by stating on its website that it used "commercially reasonable efforts" to secure payment card data it collected was closer to the type of allegation that the statute allows.

The company, however, argued that this allegation should also be dropped because its privacy policy only covers its own data security practices, and not those of the independently-owned Wyndham-branded hotels that implemented the procedures that allegedly led to three breaches in less than two years.

In a separate motion to dismiss, three corporate affiliates of Wyndham used a similar liability argument in their own attempt to escape the litigation. Although the FTC's allegations center on unauthorized access to computers in Wyndham's network, the agency seeks to hold Wyndham Worldwide Corp., Wyndham Hotel Corp. LLC and Wyndham Hotel Management Inc. derivatively liable for the allegedly unlawful conduct based on the theory that these entities all operated as a "common enterprise."

But the three defendants argue that the FTC's allegations fall "well short" of the standards required to prove this liability.

"If sustained, the FTC's 'common enterprise' theory would potentially subject all manner of modern corporations (large and small) to liability for the actions of any of their corporate affiliates," the motion said.

Morrison & Foerster LLP partner Reed Freeman called the FTC's attempt to hold these "legitimate" companies derivatively liable because they merely shared office space "highly unusual," noting that the agency typically only uses this argument in "garden-variety fraud cases."

"The decision resulting from this motion is going to be an important one for just how far the FTC can take this theory," he said. "My guess here would be that the court finds that the common enterprise theory should be used sparingly in cases where companies have set up corporate operations in order to play a shell game with regulators … and that the use of the common enterprise [theory] outside of these fraud cases is a step too far for the commission."

The FTC declined to respond to the latest motions on Tuesday, citing its policy of not commenting on pending litigation.

Wyndham is represented by David B. Rosenbaum and Anne M. Chapman of Osborn Maledon PA, Eugene Assaf and K. Winn Allen of Kirkland & Ellis LLP, and Douglas H. Meal of Ropes & Gray LLP.

The case is Federal Trade Commission v. Wyndham Worldwide Corp. et al., case number 2:12-cv-01365, in the U.S. District Court for the District of Arizona.