If the reaction to recent data security breaches at national retailers Target, Michael’s and Apple is any indication, protecting consumer information will continue to be a hot topic. Yet while consumer concerns about theft are universal, as opposed to industry specific, regulatory protection lags behind. To date, no federal regulation or law sets forth data-security standards that apply to all companies engaged in interstate commerce.

The Federal Trade Commission (FTC) is doing its best to fill the void. Since 2000, the FTC has brought more than 40 data security enforcement actions, and just three months into 2014, the FTC has negotiated settlements with Fandango and CreditKarma for alleged failures to take reasonable steps to secure consumers’ personal information. The FTC relies on Section 5(a) of the FTC Act as its authority for enforcement actions; the statute provides that “unfair or deceptive acts or practices in or affecting commerce…are…declared unlawful.” Unfair practices are broadly defined as those that “cause or [are] likely to cause substantial injury to consumers…not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Not everyone is pleased with the FTC’s actions, and two recent cases highlight the growing criticism. In FTC v. Wyndham Hotels Corp., et al, the FTC issued a complaint after three breaches between 2008 and 2010 involving the company and its franchisees’ computer networks. Those breaches allegedly compromised the credit card and other financial information of more than 600,000 people and resulted in millions of dollars of fraudulent charges. The FTC alleged that “Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury.”

Similarly, in In re LabMD, Inc., the FTC issued a complaint after two data breaches involving the personal information of more than 9,000 consumers. The FTC alleged that LabMD’s failure “to employ reasonable and appropriate measures to prevent unauthorized access to personal information” was an unfair trade practice causing substantial consumer injury

Both Wyndham and LabMD moved to dismiss, arguing that the FTC lacks statutory enforcement authority without explicit delegation from Congress. Further, they argued that Congress already enacted several other statutes on data security, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In particular, LabMD argues that the FTC has no enforcement authority against it because the data at issue is protected health information and Congress has already established pertinent regulations, including HIPAA, which are enforced by the Department of Health and Human Services (HHS) — thereby precluding FTC enforcement through Section 5. The Wyndham defendants also challenged the sufficiency of the pleadings under Rules 8(a) and 9(b) of the Federal Rules of Civil Procedure, and whether substantial consumer injury occurred in light of reimbursement to consumers for any financial losses from credit card theft in excess of $50. In what appeared to be their strongest argument, both LabMD and Wyndham cited due process concerns about the fairness of enforcing standards only after a significant breach, without notice of what is prohibited. Both argued that in the absence of formal rules setting data security standards, Section 5 alone fails to provide guidance or minimum compliance standards.

Not surprisingly, the FTC disagreed. In its view, “Congress deliberately delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changing economy.” With respect to HIPAA and similar statutes, the FTC contends no legislation exists that “forecloses the Commission from challenging data security measures” in accordance with Section 5. With respect to due process, the FTC points to its public statements and enforcement actions as notice of what constitutes reasonable data-security measures. The FTC also referenced the National Institute of Standards and Technology (NIST) publications, among others, as available sources of guidance regarding reasonable data security.

On April 7, 2014, the Wyndham court sided with the FTC, denying the motion to dismiss and finding unequivocally that the FTC had authority to bring an unfairness claim in the data security context. Judge Esther Salas of the U.S. District Court for the District of New Jersey found that the statutes cited by Wyndham — HIPAA, GLBA, etc. — seemed “to complement—not preclude—the FTC’s authority.” With respect to due process considerations, Judge Salas was not persuaded that fair notice required formal rulemaking before filing an FTC action. Instead, she found ample notice in the language in Section 5, the FTC’s sources of guidance on reasonable data-security measures, and prior FTC consent agreements and opinions.

Judge Salas also found that the FTC sufficiently alleged a claim under Section 5. Specifically, Judge Salas held that the complaint permitted the court to infer that the data security practices “caused theft of personal data, which ultimately caused substantial injury to consumers.” The court was not persuaded by Wyndham’s argument that there was no actual injury because federal law limits consumer liability for unauthorized use of a payment card to $50, and that all major banks waive the $50 limit. Instead, the court held as sufficient that the FTC’s allegations that at least some consumers suffered “unreimbursed financial injury.” The court also rejected the Wyndham defendants’ argument that no injury-in-fact occurred, finding instead that the FTC’s allegation of misuse in the form of fraudulent charges to consumers’ accounts was enough.

While the court cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” companies can take steps to minimize the risk of an FTC enforcement action.

First, review your privacy policy. Make sure that the policy does not promise more with respect to privacy and data security than your company can deliver. One of the main allegations against the Wyndham defendants is that it falsely represented to consumers that it followed industry standard privacy practices. Second, confirm that your data security practices are commensurate with your industry’s standards. If none exist, follow more general standards, such as NIST CSF & 800-53and ISO 27001/2. In light of the court’s decision in Wyndham, companies now should also consider the data security guidance and orders by the FTC. At a minimum, ensure that your company follows simple, proactive data security measures. In both Wyndham and LabMD, the FTC identified a number of basic security measures that it says should have been followed, including firewalls, requiring employees to change passwords regularly, installing and updating security patches for network servers, and regularly updating the operating systems of computers and devices on the network. Judge Salas also specifically mentioned the failure to require complex user IDs and passwords and the failure to inventory the computers connected to its network. Third, don’t rest on your laurels. The FTC is clear that data security involves an ongoing process of assessing risks and vulnerabilities, and adjusting practices to minimize them.