By Michael Pernick, Staff Editor
Image Credit: ian-s / Flickr
When you check into a hotel, you always give that hotel your personal information—including your name, address, telephone number, credit card account numbers, expiration dates, and security codes. You do this, in part, because you trust that the hotel will keep your information secure. You trust that the hotel protects its computers with reasonable data security protocols and firewalls. Furthermore, most people, if they stopped to think about it, would assume that if a company failed to protect your private data, that company would get in trouble with the government. Typically, they would be right—the FTC brings dozens of data security complaints each year against companies that fail to protect consumer data.[1] These complaints are not usually litigated, as they are relatively straightforward; the business realizes that it made a mistake, agrees to a negotiated settlement, and changes its practices moving forward.
In June 2012, the FTC filed what appeared to be another typical data security complaint against Wyndham Hotels for a rather egregious breach.[2] Wyndham allegedly failed to maintain basic security for personal consumer information stored on its computers. Among other things, it allegedly (a) didn’t use firewalls; (b) failed to properly install encryption software; (c) used outdated operating systems without security updates; and (d) used easy-to-guess user IDs and passwords for access to Wyndham’s property management systems.[3] Not surprisingly, its servers were hacked and personal consumer information was stolen on three separate occasions over the course of two years.[4] Wyndham took no action to fix their data security after each incident.[5] As a result, over 619,000 customer accounts were compromised, and credit cards were hit with over $10.6 million in fraudulent charges.[6]
What happened next wasn’t typical. Rather than negotiate a settlement, Wyndham Hotels decided to go to court. Its argument—which it made before Judge Esther Salas in the District of New Jersey—is highly problematic, both from policy and legal perspectives. Specifically, Wyndham argues that the FTC lacks jurisdiction to regulate data security altogether; this is the first time such an argument has been put forward since the FTC began regulating data security.[7]
Wyndham bases its argument on FDA v. Brown & Williamson Tobacco Corp., where the Supreme Court held the Food and Drug Administration (FDA) lacked jurisdiction to regulate cigarettes.[8] In Brown & Williamson, the FDA lost because prior to its attempt to regulate the sale of cigarettes to children, the FDA had historically stated that they lacked the authority under the Food, Drug, and Cosmetic Act (FDCA) to regulate tobacco products—in other words, the FDA changed their position.[9] The Brown & Williamson court looked closely at Congressional regulation of the tobacco industry and specifically discussed Congress’s consideration (and rejection) of bills to grant the FDA jurisdiction, as well as other laws beyond the FDCA which directly regulated aspects of the tobacco industry.[10] The court ultimately concluded that Congress didn’t intend to permit the FDA to regulate cigarettes, and denied the FDA deference in its decision to interpret the phrases “drugs”, “devices”, or “combination products” within the FDCA to cover tobacco and cigarettes.[11]
Wyndham argues that in passing Section 5 of the Federal Trade Commission Act,[12] Congress did not intend to delegate to the FTC the power to regulate what constitutes an unfair data security practice.[13] They list other laws which authorize other federal agencies to establish minimum data security standards in certain contexts and point to quotes from the 1990’s where the FTC suggested they did not have the authority to regulate data security. Wyndham essentially argues that this case is an application of Brown and Williamson.[14]
Contorting Brown and Williamson to deny the FTC the authority to regulate data security, as Wyndham would have the court do, would set a dangerous precedent. Wyndham points to various other Acts passed by Congress which it claims indicate that Congress did not intend for the FTC to regulate data security.[15] For example, it points to HIPAA,[16] which requires health care providers to maintain security standards for electronic health information, as well as COPPA,[17] which protects children’s online activity.[18] These data security laws are not comparable to the tobacco laws passed by Congress which the court found persuasive in Brown and Williamson.[19] These tobacco laws directly suggested Congress never intended to delegate authority to the FDA because they regulated the entire industry. Here, Wyndham could not point to a single act of Congress intended to regulate data security generally; they could only find acts relating to specific instances, such as health care or children.
Wyndham also makes the dubious claim that the FTC previously stated that it lacked authority to regulate data security. Unlike in Brown and Williamson, where the FDA clearly stated that it did not have jurisdiction over tobacco products, in this case the FTC never stated that unfair or deceptive data security practices didn’t fall under the FTC Act.[20] Wyndham’s brief relies on several out-of-context quotes which suggest that the FTC stated that they lacked authority over certain information practice policies; in fact, the FTC reports which Wyndham cites to actually state the exact opposite—that these issues fall under the FTC’s “statutory mandate.”[21] Of course the full context of these reports is conveniently omitted from Wyndham’s brief.
Wyndham’s application of Brown and Williamson to this case is highly questionable, but the most troubling part of their argument is the policy implications if they somehow prevail.
There is no other regulator of data security practices besides the FTC. If the FTC is barred from regulating data security, there would be no watchdog agency forcing businesses to protect consumer data. That is why libertarian think tanks and business groups have filed amici in support of Wyndham, including the Chamber of Commerce,[22] the International Franchise Association,[23] and Techfreedom.[24] If the FTC cannot regulate this field, businesses will have free reign to implement whatever data security protocols they want, without fear of an agency to regulate their actions[25]. As a result, many businesses will choose not to invest in expensive software or technology to protect their customers’ private data from hackers.
Private lawsuits cannot fully protect consumers. Many consumers aren’t actually harmed, making class action commonality nearly impossible to satisfy. Additionally, individual lawsuits would be impractical because litigation costs would far outweigh any one individual’s harm. Only a watchdog agency with authority to investigate and file civil complaints can effectively protect consumer data, and the FTC is the only game in town. Without the FTC regulating the field, there will be nobody out there to fight for consumers.
[1] List of FTC Data Security Case Highlights, Fed. Trade Commission, http://www.business.ftc.gov/legal-resources/29/35 (last visited Nov. 13, 2013).
[2] Id. (referencing the Wyndham matter).
[3] See First Amended Complaint at ¶ 24, F.T.C. v. Wyndham Worldwide Corp., No. CV 12-1365-PHX-PGR (D. Ariz. Aug. 9, 2012), 2012 WL 3281910.
[4] Id. at ¶ 25.
[5] Id.
[6] Id. at ¶ 40.
[7] Motion to Dismiss by Defendant Wyndham Hotels & Resorts LLC, F.T.C. v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-SCM (D.N.J. Apr. 26, 2013), 2013 WL 3475984.
[8] Food & Drug Admin. v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000).
[9] Id. at 156.
[10] Id. at 159–60.
[11] Id. at 175.
[12] 15 U.S.C. § 45 (2006).
[13] Motion to Dismiss by Defendant Wyndham Hotels & Resorts LLC, supra note 7, at 4.
[14] Id. at 14.
[15] Id. at 9.
[16] Health Insurance Portability & Accountability Act of 1996, Pub. L. No. 104–91, 110 Stat. 1936.
[17] Omnibus Consolidated And Emergency Supplemental Appropriations Act of 1999, Pub. L. No. 105–277, 112 Stat. 2681.
[18] Id.
[19] Food & Drug Admin. v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 122 (2000) (listing six Acts of Congress intended to regulate tobacco products, including health warnings, advertising restrictions, and distribution regulations).
[20] 15 U.S.C. § 45 (2006).
[21] See, e.g., Consumer Privacy on the World Wide Web, Hearing before H. Comm. on Commerce, Subcomm. on Telecomm., 105th Cong., at n.23. (July 21, 1998), available at http://www.ftc.gov/os/1998/07/privac98.htm.
[22] Proposed Brief of Amici Curiae Chamber of Commerce of the U.S., Retail Litig. Ctr., Am. Hotel & Lodging Ass’n, and Nat’l Fed. of Indep. Bus. in Support of Defendants, F.T.C. v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-SCM (D.N.J. May 3, 2013), 2013 WL 3739706.
[23] Brief Amicus Curiae of the Int’l Franchise Ass’n in Support of Defendant Wyndham Hotels & Resorts’ Motion to Dismiss, F.T.C v. Wyndham Worldwide Corp., No. 13-cv-1887 (ES) (SCM) (D.N.J. May 3, 2013), 2013 WL 3739748.
[24] Techfreedom, Int’l Ctr. for Law and Econ. & Consumer Prot. Scholars’ Brief in Support of Their Motion for Leave to File Brief Amici Curiae in Support of the Wyndham Defendants’ Motions to Dismiss, F.T.C. v. Wyndham Worldwide Corp., No. 2:13-cv-01887(ES)(SCM) (D.N.J. May 3, 2013), 2013 WL 4510055.
[25] Some may argue that consumers are free to abandon companies that do not protect their data; therefore, the free market would provide an adequate incentive to companies to take necessary steps to protect consumer information and FTC regulation is not necessary. However, this argument fails for several reasons. First, there no information available to consumers when they make their purchasing decisions, and consumers cannot make ex ante decisions as to which companies will adequately protect their personal information. Second, because of fraud insurance included with most credit and debit cards, consumers don’t actually lose money when their credit card information is stolen; therefore, they have little incentive to alter purchasing decisions based on data security—instead, all consumers are forced to pay higher credit card fees to cover the additional costs. Finally, if all companies in a given market or industry fail to implement reasonable data security, consumers would have no choice but to accept whatever insufficient security is provided.
N.Y.U. Review of Law and Social Change 