As evident from the recent Target and other large company data security breaches, cybercriminals are actively seeking to hack into company data management systems to obtain customers’ private information.
Companies must constantly be on alert for cyber threats and proactively safeguard customer data from theft by cybercriminals.
The Federal Trade Commission Act (the “FTC Act”) provides the Federal Trade Commission (“FTC”), an independent law enforcement agency, with authority to enforce, among other things, unfair and/or deceptive practices or acts and seek appropriate relief for “conduct injurious to consumers.” The FTC seeks to protect consumers from practices in the marketplace that may lead to identity theft and other unlawful or unauthorized use of the consumers’ personally identifiable information.
In recent years, the FTC, has focused its in enforcement efforts against companies in, among other areas, data security (“Cybersecurity”). The FTC’s aggressive enforcement effort in this domain has not been left unchallenged by companies targeted by the FTC. Though the FTC’s authority to serve as the nation’s Cybersecurity policeman is murky, one federal court has recently given the FTC the green light to bring actions against companies for Cybersecurity breaches. This article discusses the court’s decision and the key takeaway of that decision.
FTC v. Wyndham Worldwide Corp.: The Hacked Companies Are Sued
On April 7, 2014, the United States District Court for the District of New Jersey in the FTC v. Wyndham Worldwide Corp. case determined that the FTC has the authority to police Cybersecurity.
Wyndham Worldwide Corporation through its subsidiaries (collectively, “Wyndham”) franchises and manages “Wyndham” branded hotels and sells timeshares. Wyndham’s franchise agreements require each Wyndham branded hotel to use a uniform property management system (“Property Management System”) to store hotel customers’ sensitive personal data, which include “names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.” Further, the Property Management System for each hotel links to the corporate network which includes a central reservation system (“Central Reservation System, together with the Property Management System, the “Data Management System”). Customers of all Wyndham-branded hotels make reservations on the same Central Reservation System.
The FTC asserts that three breaches of the Data Management System resulted in the “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
Following the breaches, the FTC brought an action against Wyndham under Section 5(a) of the FTC Act to seek relief to prevent further violations of the FTC Act and to redress consumers’ injuries resulting from the breaches. The FTC claims Wyndham’s failure to act reasonably and appropriately to protect hotel customers’ personal data from the unauthorized access by hackers was an unfair act or practice that resulted in substantial injury to hotel patrons.
Wyndham sought to dismiss the FTC’s action, on the bases, among others, that (i) the FTC lacks authority under Section 5 of the FTC Act to regulate Cybersecurity in the private sector and (ii) the FTC has not promulgated rules, regulations or guidelines providing companies clear Cybersecurity standards. Noting that there is no Congressional action that conflicts with the FTC’s asserted authority to regulate Cybersecurity practices, the Court concluded that the FTC has authority to regulate Cybersecurity. The Court also concluded that the FTC is not required, before bringing an enforcement action, to promulgate rules setting forth standards given that a data-security unfairness claim is “‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations.’”
Key Takeaway: Stay Alert, Stay Alive
Though the FTC has yet to delineate rules, regulations or other guidelines to inform companies of what the FTC would consider proper Cybersecurity measures, one fact is clear, the FTC has the green light to continue to aggressively police Cybersecurity. It would, therefore, behoove companies to closely monitor FTC Cybersecurity-related actions and tighten security controls to ensure consumers’ private personal data is adequately protected.
Even though hackers are usually one-step ahead of the companies and individuals they target, companies must aggressively seek to change the power dynamic to stay one step ahead of hackers. Companies may consider engaging outside consultants that specialize in testing companies’ computer systems to ensure that the systems are hack proof. Proactive instead of reactive investment in customer data protection is necessary given the FTC is watching and ready to prosecute in the event of a security breach.
Disclaimer: This article represents the views of the author and such views should not necessarily be imputed to Norton Rose Fulbright, Fulbright & Jaworski LLP, or their respective affiliates and clients. This publication should not be considered legal advice and receipt of this publication does not establish an attorney-client relationship.
About the Author: Ms. Simmons focuses her practice on the representation of debtors, creditors and other parties in complex restructuring, finance, bankruptcy and litigation matters. She can be reached at firstname.lastname@example.org.
 See 15 U.S.C. §§ 41-58; FTC, Legal Resources – Statutes Relating to Both Missions, http://www.ftc.gov/ogc/stat1.shtm (last visited May 8, 2014).
 No. 13-1887(ES), 2014 WL 1349019, at *1 (D.N.J. Apr. 7, 2014).
 Id., at *2 (citation omitted).
 Id., at *3.
 Id., at *14 (citation omitted).