Wyndham ruling boosts FTC's authority to investigate cyber security breachesReprints
Companies can expect more Federal Trade Commission investigations of their data security practices as a result of a judge allowing the FTC to sue the Wyndham hotel chain on grounds it failed to adequately protect customers' personal information.
Legal experts say the ruling firmly establishes the FTC's authority to oversee companies' practices to secure customer information, a ruling the hotel chain is appealing.
In addition, experts advise insurance buyers to be sure their cyber coverage includes regulatory actions, although such defense and indemnification coverage may be subject to sublimits.
In its suit, Federal Trade Commission v. Wyndham Worldwide Corp. et al., the FTC charged Parsippany, N.J.-based Wyndham “failed to provide reasonable and appropriate security for the personal information collected and maintained” by its hotels, which permitted intruders to gain unauthorized access to its computer network three times between April 2008 and January 2010.
While the hotel chain sought to dismiss the suit, U.S. District Judge Esther Salas refused.
“The court is guided by precedent that compels rejecting (Wyndham's) request to carve out a data-security exception to the FTC's authority,” the Newark, N.J.-based judge ruled April 7 in allowing the suit to proceed.
The FTC is seeking injunctive and “other relief,” which could include restitution and refunds, among other monies.
“Companies should take reasonable steps to secure sensitive consumer information,” FTC Chairwoman Edith Ramirez said in a statement in reaction to the ruling. “When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”
Wyndham, which plans to appeal, noted that the judge made no decision on liability.
“We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” Wyndham said in a statement.
Other cases also challenge the FTC's authority.
In March, for example, a medical laboratory that closed in January sued the FTC in Atlanta federal court. LabMD Inc. accused the FTC of an “unconstitutional abuse of government power” for its investigation of the Atlanta-based company's data security practices.
“There's nothing about the Wyndham decision that would prevent another company from making similar arguments in their own cases brought by the FTC,” said William Boeck, Kansas City, Mo.-based senior vice president and insurance and claims counsel for Lockton Cos. L.L.C.
“I would imagine there's more to come in this area, whether there is an appeal or whether it's future action,” said Michael P. Hindelang, a partner at law firm Honigman Miller Schwartz & Cohn L.L.P. in Detroit. “The boundaries of it are going to be defined in some fashion.”
However, Jay L. Levine, a Washington-based partner at Porter Wright Morris & Arthur L.L.P., said he doubts other courts would rule differently than Judge Salas.
“If a court is going to say the FTC cannot govern data security in such a cybercentric world, then who is?” Mr. Levine said.
Wyndham “is probably the most significant judicial ruling to come down in the cyber/privacy space,” said Richard J. Bortnick, a shareholder at Christie, Pabarue & Young P.C. in Philadelphia.
The ruling “shows the FTC being even more aggressive. They're counting this as a win,” said Christopher Nucifora, managing partner at Kaufman Dolowich & Voluck L.L.P. in Hackensack, N.J.
“Certainly, this is the first time that it's been made expressly clear the FTC can regulate the data security area as a matter of consumer protection,” said Honigman Miller's Mr. Hindelang.
The ruling “doesn't give the FTC a broad ability to go out and get every company that's been hacked,” but it does set a precedent of enabling it going forward to protect what it views as consumers' interest, he said.
Now the FTC has “the license to define what minimum cyber security standards are for all companies within its jurisdiction — that is, companies who deal with consumers,” said Paul Rosenzweig, founder of Washington-based Red Branch Consulting P.L.L.C. and a former deputy assistant secretary for planning at the Department of Homeland Security.
However, Kevin LaCroix, an attorney and executive vice president at Beachwood, Ohio-based RT ProExec, a division of R-T Specialty L.L.C., said he believes the FTC pursued Wyndham in particular because “there were multiple breaches over time, and it seemed like it was the same vulnerability that allowed the breach to happen.”
“If the high-profile data breaches like Target were not enough to (get companies to) stop and consider coverage for cyber risks, this ruling should be the wake-up call,” said Marla H. Kanemitsu, a partner at Dickstein Shapiro L.L.P. in Washington.