FTC v. Wyndham

• Background |
• EPIC's Interest in FTC v. Wyndham |
• Legal Documents |
• News

Summary

The Federal Trade Commission sued a global hotel company for failing to adequately safeguard its computer network, allowing hackers to access customer information. The company now argues that the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC's favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC's data protection authority.

Oral Argument

Listen to the March 3, 2015 oral argument:

Top News

• Court of Appeals Vacates FTC's LabMD Order, Finding It Lacked Specifics: The Court of Appeals for the Eleventh Circuit has vacated an administrative order by the Federal Trade Commission, which required the medical testing company LabMD to implement "reasonable" data security measures, finding that the order was not specific enough to be enforceable. The court explained that the FTC can require companies to implement data security measures as long as it provides specific guidance. EPIC has repeatedly urged the FTC to mandate specific data security requirements in consumer privacy settlements, including in comments on recent settlements with Uber and PayPal. EPIC also submitted an amicus brief in FTC v. Wyndham, a case in which the Third Circuit Court of Appeals upheld the FTC's authority to enforce data security standards. (Jun. 7, 2018)
• Court of Appeals Restores FTC's Authority Over "Common Carriers": The Ninth Circuit Court of Appeals has ruled in FTC v. AT&T that the Federal Trade Commission can regulate telephone and internet companies, reversing an earlier decision by a three-judge panel that stripped the FTC of its authority over "common carriers." The full Ninth Circuit held that the common carrier exemption to the FTC Act is activity-based, not status-based. This means that the FTC can regulate AT&T's data-throttling practices. The Ninth Circuit reached the result that EPIC and a coalition of consumer advocates had urged in a friend-of-the-court brief. EPIC also vigorously defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards" in an amicus brief in FTC v. Wyndham. (Feb. 26, 2018)
More top news »
EPIC Offers 10 Recommendations for the FTC's Five-Year Strategic Plan » (Dec. 5, 2017)
EPIC has submitted 10 recommendations for the Federal Trade Commission's "Draft Strategic Plan" for 2018-2022. EPIC explained how the FTC can protect consumers, promote competition, and encourage innovation. Among the several proposals, EPIC urged the FTC to enforce consent orders, incorporate public comments into settlements, promote transparency, produce concrete outcomes, and endorse data protection legislation. EPIC and several consumer privacy groups outlined these proposals in a letter to the FTC in February, 2017. EPIC has consistently urged the FTC to exercise its full authority in protecting consumers, and even filed a lawsuit in 2012 to get the FTC to enforce an existing consent order against Google. EPIC has also filed several consumer privacy complaints with the FTC, including a recent complaint about "toys that spy."
Court of Appeals Grants Rehearing in FTC v. AT&T Mobility » (May. 15, 2017)
The Ninth Circuit Court of Appeals has granted rehearing of a decision that stripped the FTC of its authority over companies engaged in "common carrier" activities. The grant of rehearing vacates the court's earlier holding that the common carrier exemption to FTC authority is status-based, not activity-based. EPIC and a coalition of consumer advocates had filed a friend-of-the-court brief urging reconsideration of the court's decision, warning that the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
EPIC, Consumer Coalition Defend FTC Authority Over Common Carriers » (Nov. 7, 2016)
EPIC joined a coalition of consumer advocates to challenge a recent federal court decision that would limit the Federal Trade Commission's authority over companies engaged in "common carrier" activities. In an amicus brief filed with the Ninth Circuit Court of Appeals, the consumer coalition urged reconsideration of the court's decision that the common carrier exemption to FTC authority is status-based, not activity-based. The brief warned the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." Internet companies such as Google that offer some broadband service could be entirely exempt from consumer protection regulation. EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
FTC Finds Unauthorized Data Disclosure is "Substantial Injury" to Consumers » (Aug. 2, 2016)
The Federal Trade Commission unanimously reversed an administrative law judge's dismissal of the FTC's complaint against LabMD, finding that LabMD's poor data security practices are "unfair" under the FTC Act. The Commission concluded that the judge had "applied the wrong legal standard for unfairness." The FTC's opinion explained that "the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury." The FTC's authority to enforce data security standards was upheld last year in FTC v. Wyndham. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
Wyndham Settles FTC Charges Over Failure to Safeguard Customer Data » (Dec. 9, 2015)
Wyndham Hotels has settled charges with the FTC that the company's data security practices unfairly exposed the financial data of hundreds of thousands of customers to hackers. Earlier this year, in FTC v. Wyndham, a federal appeals court upheld the FTC's authority to enforce data security standards. EPIC's amicus brief filed in Wyndham played an important role in defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.
Administrative Decision Tosses LabMD Data Security Case » (Nov. 21, 2015)
An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
Appeals Court Upholds FTC's Data Security Authority » (Aug. 24, 2015)
A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.
Federal Courts Considers FTC's Data Protection Authority » (Mar. 3, 2015)
A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam."
EPIC Urges Federal Court to Uphold FTC Authority to Protect Data Security » (Nov. 13, 2014)
EPIC, joined by thirty-three technical experts and legal scholars, has filed an amicus brief in support of the Federal Trade Commission's authority to establish data security standards. EPIC described the extent of the data security risks in the United States, the important role of the FTC, and the danger of removing FTC authority to safeguard consumer data. EPIC said, "The FTC's authority to regulate business practices impacting consumer privacy is well established, the problem is obvious, and the agency has a clear record of success." EPIC cited 50 successful enforcement actions against companies that failed to safeguard customer data. EPIC also detailed the ongoing risks of identity theft and financial fraud facing American consumers. EPIC warned, "Removing the FTC's authority to regulate data security would be to bring dynamite to the dam." For more information, see EPIC: FTC v. Wyndham, EPIC: EPIC Amicus Curiae Briefs.

Background

The Federal Trade Commission (FTC) filed suit in federal district court against global hotel company Wyndham Worldwide Corporation and its subsidiaries (collectively, "Wyndham") for failing to maintain reasonable and appropriate data security practices for sensitive customer data. Wyndham's data security practices, allege the FTC, are deceptive and unfair acts prohibited by Section 5 of the FTC Act. The Commission alleges that, at least since 2008, Wyndham engaged in a number of practices that "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." According to the complaint, these practices include:

• failure to use readily available security measures, such as firewalls;
• storage of credit card information in clear text;
• failure to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
• failure to address known security vulnerabilities on servers;
• use of default user names and passwords for access to servers;
• failure to require employees to use complex user IDs and passwords to access company servers;
• failure to inventory computers to appropriately manage the network;
• failure to maintain reasonable security measures to monitor unauthorized computer access;
• failure to conduct security investigations; and
• failure to reasonably limit third-party access to company networks and computers.

According to the FTC, these deficient security practices led to three unauthorized intrusions between 2008 and 2010. These intrusions allegedly caused "the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss."

An unfair act under Section 5 are those that "cause[] or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."

Wyndham's Challenge to the FTC's Data Security Authority

Wyndham moved to dismiss the FTC's suit. In its motion, the company challenged the FTC's data security authority under the unfairness prong of Section 5. The unfairness prong authorizes the FTC to prohibit acts that cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition. Wyndham did not argue that the text or legislative history of Section 5 precluded the FTC from regulating data security. Rather, the company argued that by adopting targeted data security legislation, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act, Congress has settled on "a less extensive regulatory scheme." This scheme, argued the company, would be rendered superfluous if the FTC is allowed to impose general data security standards under its Section 5 authority.

Wyndham further argued that the FTC has disclaimed authority to regulate data security practices. The company contends that like the FDA's disclaimers over tobacco regulation in FDA v. Brown & Williamson Tobacco Corp., the FTC made public statements between 1998 and 2001 in which it disclaimed authority to regulate data security.

The district court rejected Wyndham's arguments and denied the company's motion to dismiss. First, it concluded that Brown & Williamson is distinguishable. In Brown & Williamson, the U.S. Supreme Court held that Congress, through the Food, Drug, and Cosmetic Act, had precluded the Food and Drug Administration's (FDA) jurisdiction over tobacco products. To conclude otherwise, reasoned the Court, would require the FDA to remove tobacco products from the market entirely, which would "plainly contradict congressional policy." The district court stated that no such contradiction exists with the FTC and data security jurisdiction. Instead, the court concluded that data security legislation was intended "to complement—not preclude—the FTC's authority."

Second, the court rejected Wyndham’s contention that the FTC disclaimed authority over data security. Unlike the FDA in Brown & Williamson, the FTC did not take a “plain and resolute position” that it lacked jurisdiction to regulate a particular area. The court concluded that the three statements put forth by Wyndham, did not amount to a disclaimer of authority by the FTC. Also relevant was the fact that the FTC brought several unfairness actions involving data security after the statements in question were made. On a related point, the court rejected Wyndham’s contention that because the FTC never affirmatively declared its authority over data security, the agency cannot assert it. The court rejected the argument finding no legal basis to support the conclusion.

Wyndham also argued that, even if Section 5 grants the FTC data security authority, it would violate principles of fair notice and due process to hold the company liable. Wyndham contends that the FTC failed to adequately notify companies through "rules, regulations, or other guidelines" as to acceptable data security standards. In essence, Wyndham argued that before bringing an unfairness action under Section 5, the FTC must publish rules and regulations. The district court rejected this argument stating such a proposition "would necessarily require the Court to sidestep long-standing precedent . . . that suggests precisely the opposite . . . ."

EPIC's Interest in FTC v. Wyndham

There are three aspects of the FTC v. Wyndham case that are especially significant to EPIC’s mission and its consumer privacy work: (1) Wyndham is challenging the FTC’s authority to bring enforcement actions for consumer data breaches under Section 5, and EPIC frequently calls on the FTC to bring enforcement actions against companies that violate consumer privacy; (2) data breaches are an area of major concern for consumers, and EPIC’s mission is to advocate for strong consumer privacy protections; and (3) as an expert on both consumer privacy and security issues, EPIC is uniquely qualified to outline the data security standards that should be followed by all companies.

EPIC advocates on behalf of Internet users before the FTC, and frequently files complaints based on the unfair and deceptive practices of companies who handle sensitive user data. As a result of these and other complaints, the FTC has brought a number of important enforcement actions against companies for violations of Section 5. EPIC has also argued that the FTC needs to more aggressively enforce its consent decrees in order to ensure the protection of consumer privacy rights. The FTC plays an important role as privacy regulator in the United States, though EPIC has argued in the past that Congress should provide for more comprehensive data protection regulations under the Consumer Privacy Bill of Rights.

EPIC has filed important data-security-related complaints with the FTC, many of which have led to enforcement actions by the agency:

• In re Snapchat (2013) - Failure to Securely Delete User Images
• EPIC filed an FTC complaint against Snapchat on May 16, 2013, alleging that the app company violated Section 5 when it failed to securely delete its users photos, videos, and messages. Snapchat is a mobile photo-sharing application that claimed to allow users to take photos and videos that would self-destruct permanently after the recipient viewed them. However, Snapchat images were not actually deleted from users’ phones, the appmerely changed the file extension to .NOMEDIA, cloaking the file from the user. The files could be easily recovered from the phone’s memory.
• On May 8, 2014, less than a year after EPIC filed the complaint, the FTC entered into a consent order and proposed settlement agreement with Snapchat over its alleged violations of Section 5. Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies.
• In re Scholarships.com (2013) - Disclosure of Student Health Data
• EPIC filed an FTC complaint against Scholarships.com on December 12, 2013, alleging that the company had failed to properly protect sensitive student data, and that it’s disclosure of sensitive student health information was an unfair trade practice. Scholarships.com is a web service used by students seeking financial aid and scholarship opportunities. In order to use the service, Scholarships.com requires that students disclose sensitive personal information, including personal health history. EPIC’s complaint alleged that Scholarships.com transfers this data to an affiliate marketing company, who then sells the data to third parties. EPIC’s complaint also alleged that Scholarships.com failed to use reasonable data security practices to protect the sensitive information that it was gathering.
• Following EPIC’s complaint, Scholarships.com updated their website to provide for encrypted connections. EPIC received a letter from the company disclaiming liability, but also reassuring EPIC that Scholarships.com had begun to use HTTPS protocols.
• In re Choicepoint (2004) - Consumer Data Breaches   
• EPIC filed an FTC complaint against Choicepiont in December 2004, alleging that the data broker had sold the personal data of hundreds of thousands of consumers to identity thieves, resulting in significant financial harm. EPIC subsequently urged the company to make provide victims with access to their data that was disclosed to criminal organizations. The next month, EPIC testified before the California Senate Banking, Finance and Insurance Committee, which was investigating the Choicepoint breaches.
• In January 2006, the FTC brought an action against Choicepoint seeking $15 million in civil penalties and renumeration to the victims of the security breach. The FTC also prohibited Choicepoint from deceiving consumers as to the security of their personal information.

EPIC has also written extensively on the data security implications raised by the collection and storage of sensitive consumer information. In April 2014 comments to the White House, EPIC pointed to the massive data breaches at Target, Adobe, and LivingSocial, which affected millions of consumers, to illustrate the enormous risk of inadequate data security practices. A May 2014 report found that half of American adults’ data had been hacked in the last year. In addition to the breaches listed above, Neiman Marcus, Michaels, eBay, Home Depot, multiple health care providers, and J.P. Morgan all suffered massive breaches that exposed consumers to substantial financial harm, including identity theft and credit card fraud. 

Although data breaches may be a recent phenomenon, business' obligation to secure consumer data has not changed. As Ed Felten, EPIC Advisory Board Member and the FTC's first chief technologist has noted, “[t]he FTC has established a principle that companies have a responsibility to protect consumers' private data . . . . The challenge there is to understand how to apply that across different technologies.”

EPIC has previously taken a stand against the insecure handling of sensitive consumer information. For example, in 2011, EPIC filed an amicus curiae brief in the U.S. Supreme Court in Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011). In Sorrell, the Court considered whether Vermont’s prescription privacy law, which would have barred disclosure of prescription data for marketing purposes, violated the First Amendment rights of health data firms. In its brief, EPIC argued that patient records were at risk of being identified because the “cryptographic technique used to conceal the identity of the patients is inadequate.”

Legal Documents

U.S Court of Appeals for the Third Circuit (No. 14-3514)

• Memorandum Opinion (Aug. 24, 2015)
• FTC's Supplemental Brief (Mar. 30, 2015)
• Wyndham's Supplemental Brief (Mar. 30, 2015)
• Oral Argument Transcript
• Wyndham's Opening Brief (Oct. 6, 2014)
• Joint Appendix Vol. 1
• Joint Appendix Vol. 2
• Amicus Briefs in Support of Wyndham
• Brief of U.S. Chamber of Commerce, American Hotel & Lodging Assoc., and National Federation of Independent Business
• Brief of Electronic Transactions Association
• FTC's Brief (Nov. 5, 2014)
• Amicus Briefs in Support of the FTC
• Brief of EPIC
• Brief of Public Citizen, Center for Digital Democracy, and Consumer Action
• Brief of Center for Democracy & Technology and Electronic Frontier Foundation
• Wyndham's Reply Brief (Dec. 8, 2014)

District Court for the District of New Jersey, (No. 13-1887)

• Order of Designation for Mediation (Nov. 18, 2014)
• Opinion Denying Wyndham's Motion to Dismiss (April 7, 2014)
• FTC's Opposition to Motion to Dismiss (June 27, 2013)
• Wyndham's Motion to Dismiss (Aug. 27, 2012)
• First Amended Complaint for Injunctive and Other Equitable Relief (Aug. 9, 2012)

Resources

• EPIC: Federal Trade Commission
• EPIC: Cybersecurity Privacy Practical Implications
• EPIC: Big Data and the Future of Privacy
• EPIC: The Consumer Privacy Bill of Rights

Relevant Cases

• FCC v. Fox Television Stations, Inc., 132 S. Ct. 2307 (2012)
• Brown & Williamson Tobacco Corp. v. FDA, 153 F.3d 155 (2000)

News Reports

• Appeals court upholds FTC's authority to enforce data security standards, Consumer Affairs, August 24, 2015
• Court Says the FTC Can Slap Companies for Getting Hacked, Wired, August 24, 2015
• Katherine Gasztonyi, Recap of Oral Argument in FTC v. Wyndham, InsidePrivacy, Mar. 3, 2015.
• Katie W. Johnson, Future of FTC Data Security Enforcement Hinges on Forthcoming Wyndham Ruling, Bloomberg BNA, Jan. 6, 2015.
• Daniel Solove, Should the FTC Be Regulating Privacy and Data Security?, Nov. 7, 2014.
• Brian Fung, The FTC was built 100 years ago to fight monopolists. Now, it’s Washington’s most powerful technology cop, Washington Post, Sept. 25, 2014.
• Daniel Solove, One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham, TeachPrivacy.com, April 15, 2014.
• Thomas O'Toole and Katie W. Johnson, FTC's Unfairness Authority Upheld In Wyndham Data Security Litigation, Bloomberg BNA, April 14, 2014.
• Omer Tene, In Standoff with FTC, Wyndham Shoots Itself in the Foot, The Center for Internet and Society, Stanford Law School, April 8, 2014.
• Brent Kendall, Judge Backs FTC's Authority in Data-Breach Case, The Wall Street Journal, April 7, 2014.
• Kelsey Finch, FTC v. Wyndham: Round One, IAPP Privacy Advisor, Nov. 18, 2013.
• Craig Timberg, FTC sues Wyndham Hotels over hacker breaches, Washington Post, June 26, 2013.
• Paul Rosenzweig, The Most Important Cybersecurity Case You've Never Heard Of, Lawfare.com, May 29, 2013.
• Federal Trade Commission, Press Release: FTC Files Complaint Against Wyndham Hotels for Failure to Protect Consumers' Personal Information, June 26, 2012.