Generating a flurry of conversation among privacy professionals worldwide, the U.S. Federal Trade Commission (FTC) last week filed its response to Wyndham Worldwide Corporation’s interlocutory appeal in the Third Circuit. It’s the most recent activity in a case that began in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. The FTC contended Wyndham’s data security flaws constituted a violation of both the deception and unfairness provisions of Section 5 of the FTC Act. But rather than settle with the FTC—as 50 other companies charged with data security failures have done since 2000—Wyndham moved to dismiss the FTC’s suit. The U.S. District Court in New Jersey denied Wyndham’s motion in April 2014, a decision heralded as a victory for the future of the FTC’s data security enforcement activity. Wyndham filed an interlocutory appeal four months later, disputing in particular the FTC’s claim under its “unfair practices” provision.

The FTC’s response outlines and affirmatively answers the three questions presented in Wyndham’s appeal: whether a company’s unreasonable failure to protect the security of consumer data constitutes an unfair act or practice; whether Wyndham had constitutionally sufficient notice that it needed to take reasonable steps to protect the consumer data entrusted to it, and whether the complaint sufficiently alleged that the data breaches caused consumers substantial injury that they could not have reasonably avoided.

Unreasonable Data Security Practices Are Unfair

The FTC responds to the first question with a four-part argument, starting with the assertion that Congress deliberately gave the commission broad discretionary authority to interpret unfair practices. Citing legislative history and numerous cases, the FTC offers evidence that Congress intentionally designed the FTC Act to provide the commission with the ability to apply its “unfair practices” authority flexibly and incrementally—subject to a three-part consumer injury test codified in 1994—across an evolving range of situations. Since at least 1934, the commission has done exactly that, applying the unfairness provision to various situations, including data security.

Next, the FTC dismisses Wyndham’s claim that the term “unfair” should be limited to an “ordinary English” definition of intentional “unscrupulous or unethical behavior.” No court has ever suggested such a limited interpretation, and doing so now would contradict decades of precedent. This reading also contradicts the 1980 Policy Statement on Unfairness, which rejected morality and intent as bases to assess the fairness of a company’s practices. Moreover, the FTC argues, the statute itself provides the definition of “unfairness” in the combination of the broad prohibition in Section 5(a) of “unfair… acts or practices in or affecting commerce” and the requirements of the consumer injury test codified in Section 5(n). Unlike the narrowly applicable definition Wyndham offers in its appeal, the definition provided by the statute covers direct and indirect liability for consumer injury and does not exempt businesses that expose themselves to harm through negligence that also injures consumers.

In its third argument, the FTC maintains that its interpretation of the unfairness provision to include unreasonable data security practices is valid even though Section 5 does not specifically grant authority to enforce data security. While Wyndham argued that recent data security legislation such as GLBA, FCRA and COPPA precludes the inference that Section 5 authorized the FTC to enforce data security standards, the FTC responds that such legislation in fact augments its existing authority. It argues that Wyndham’s reliance on FDA v. Brown & Williamson Tobacco Corp., in which the Supreme Court ruled that the Food and Drug Administration lacked the authority to regulate tobacco under the Food, Drug and Cosmetic Act because this would have contradicted tobacco-specific statutes, is misguided because the data security statutes do not conflict with the FTC Act. The FTC’s data security authority more closely resembles the powers of the Environmental Protection Agency (EPA) under the Clean Air Act. In Massachusetts v. EPA, the Supreme Court held that more recent climate change legislation did not prohibit the EPA from applying the Clean Air Act to control carbon dioxide emissions.

Finally, the FTC argues that the commission’s interpretation of “unfair” is entitled to deference as established in Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc. Under Chevron, which was reaffirmed in City of Arlington, Texas, v. FCC, if Congress has not already directly addressed the exact question at issue and the agency’s interpretation is based on a permissible construction of the statute, a reviewing court must yield to the agency’s construction. According to the FTC, its interpretation of the unfairness provision of Section 5 meets both of the requirements of Chevron; consequently, the commission’s interpretation that unfair practices include unreasonable data security practices should stand.

Wyndham Had Fair Notice

In response to the second question presented on appeal, the FTC maintains that Wyndham had fair notice of its obligation to take reasonable steps to protect confidential consumer data and was therefore not denied its constitutionally protected right to due process. The FTC defends this position with two arguments. First, it notes that its complaint against Wyndham is based on basic principles of negligence; all businesses are aware of their obligation to follow reasonable standards of customer care. Wyndham, which has long made assurances in its privacy policy that it would provide reasonable data security for its customer’s information, is no exception. In fact, the FTC argues, having promised that it would implement a variety of specific security measures that it then failed to employ, Wyndham cannot now claim that it lacked notice of its data security responsibilities. In addition, the FTC claims that its data security standards are grounded on basic notions of common law as reflected, for example, in the tort of negligence, which closely mirrors the unfairness test iterated in Section 5(n).

Second, the FTC asserts that it has repeatedly warned industries since 2005 to take basic data security precautions when handling consumer data. Moreover, the commission has provided ample notice of its data security expectations through both its string of data security enforcement actions and the publication of guidance, Protecting Personal Information: A Guide for Business, in 2007.

The Complaint Meets Pleading Requirements on Harm

Wyndham challenged the commission’s complaint for failing to plead any facts satisfying the statutory criteria of “substantial injury” that is “not reasonably avoidable by consumer themselves.” The FTC argues that its complaint more than meets the standard for establishing a violation of Section 5 of the FTC Act, pointing first to the facts that more than 600,000 credit and debit card accounts were compromised, $10 million was accumulated in fraudulent charges and consumers lost access to funds or credit—all as a result of Wyndham’s failure to implement reasonable and appropriate security measures. According to the FTC, these injuries, together with even a small amount of unreimbursed charges, amount to substantial collective harm that is sufficient on its own to sustain the complaint. The FTC asserts that Wyndham’s argument that consumers could have avoided injury by accepting its offer to reimburse the fraudulent charges does not address the fact that consumers could not have prevented thieves from accessing and misusing their personal data. Moreover, the FTC argues that to establish consumer harm, it is not necessary, as Wyndham claims, to identify any particular individual who suffered financial injury. Rather, the FTC’s allegation that 600,000 credit cards were compromised is sufficient to form a plausible case of substantial consumer harm, even if not all of those consumers suffered unreimbursed charges.

In further response to Wyndham’s challenge to the sufficiency of the complaint, the FTC argues that its allegation that customers spent time and money to mitigate the harm resulting from the breaches independently meets applicable pleading standards. The FTC, responding to Wyndham’s choice of precedential evidence, distinguishes its complaint from the Third Circuit’s 2011 decision in Reilly v. Ceridian Corp., in which there was no evidence that data was actually stolen or misused. Unlike the Wyndham breaches, in Reilly, the court held that the expenditure of time and money was a “speculative” response to “hypothetical” harm. According to the FTC, Wyndham’s reliance on Reilly as precedent for its case is therefore mistaken, as in that case the plaintiffs were private individuals rather than a federal agency with authority under a consumer protection statute.

Conclusion

Throughout this case, the FTC has emphasized that Wyndham’s “fundamental mistreatment of consumers is precisely the type of unfair practice that Congress enacted Section 5 to prohibit.” In its response to Wyndham’s motion, the FTC first seeks to establish that Wyndham’s security practices qualify as “unfair” according to the statutory and, as Wyndham proposes, the dictionary definition and that Congress intentionally designed Section 5 to apply in such a way. Second, the FTC argues that Wyndham knew what level of security it was expected to provide and the consequences of not providing it. Third, the FTC offers evidence to indicate the extent of Wyndham’s mistreatment of consumers and the resulting injury that render it unfair. While acknowledging that “perfect” security is unachievable, the commission maintains that businesses are not excused from implementing security measures and protecting sensitive consumer data simply because breaches can happen even to those who are best prepared. Consumers, it argues, lose the ability to protect their information once they have provided it to a business and thus depend on that business to secure the sensitive and personal information on their behalf. According to the FTC, it is the responsibility of the commission—as authorized by Congress—to ensure that each business reasonably does so.