Category: Marketing & Consumer Privacy
Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security
In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010. After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.
In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday. In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.
Reacting to the influx of recent, high-profile data breaches and cybersecurity attacks in the government and the private sector, the U.S. Senate earlier this week passed the controversial Cybersecurity Information Security Act of 2015 (“CISA”), S. 754. The bill, which came after more than four years of handwringing and debate, received bipartisan support and passed by an overwhelming majority vote of 74 to 21.
The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.
Following yesterday’s news that Experian Plc, the world’s largest consumer credit monitoring firm, suffered a massive data breach, exposing the personal information of some 15 million people, the post-breach fall out has already started. The Connecticut Attorney General’s office has announced that is launching an investigation into the breach.
Spokeo, Inc. v. Robins—which involves the question of whether Congress, by authorizing a private right of action based on a violation of a federal statute, can confer Article III standing upon a plaintiff who has suffered no concrete harm—is one of the most eagerly anticipated decisions from the Supreme Court’s October 2015 term. The petitioner’s and respondent’s primary briefing have now been filed with the Court, offering a glimpse into the arguments that we will see at oral argument in the fall. Significantly, in their briefing, Spokeo and Robins both emphasize the potential impact of this decision not only for the future of privacy and data-breach litigation, but also for the scope of the federal courts’ Article III jurisdiction in general.
Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses. The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.
In recent weeks, there have been several developments in some of the major data security class action suits.
In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case. During the argument, the Court acknowledged that the “implications of its ruling would be broad.”
With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.
We are pleased to announce the launch of Data Security Law Blog, Patterson Belknap’s newest resource for the latest news, analysis and thought leadership in the critical area of privacy and cybersecurity law.
In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.
In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards. After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.” The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices. On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.
This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act. Since 2005, the FTC has settled 53 cases against companies related to data security. Wyndham is one of two companies to challenge the FTC’s authority in this area. The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.
- Page 2 of 2