‘Referendum’ Case on FTC Data Security Authority May Take Years, Have Little Impact on Jurisdiction

Wyndham, a hotel chain, is challenging the FTC’s data security authority after the commission filed a complaint against the company for repeated data breaches. FTC v. Wyndham is “the referendum” on FTC data security authority, said University of Washington School of Law Assistant Professor Ryan Calo, who researches emerging technologies and the Internet. “That’s an issue that will, or might be somewhat resolved, by the Wyndham case,” said Fletcher Heald communications lawyer Paul Feldman, who represents ISPs. Michael Daugherty, CEO of medical testing lab LabMD, which is challenging FTC authority to oversee the security of health data (WID Feb 21 p1), told us that “Wyndham is a bigger deal because it’s a bigger company."

The FTC entered new territory when it started filing complaints about companies’ data security practices. A decade and 50 settlements later, the commission’s authority to file those complaints has come under frequent scrutiny from lawyers, academics and industry representatives who wonder, “Does the FTC have the authority?” Repeatedly the answer is, “It depends on the Wyndham case.” It “would be problematic,” FTC Commissioner Maureen Ohlhausen said at a Congressional Bipartisan Privacy Caucus briefing (WID Feb 4 p3), “were a court to decide the FTC doesn’t have authority to challenge data security practices.” Such a decision “would take away an important tool the FTC has used over many years,” she said.

A series of high-profile data breaches from retailers including Neiman Marcus and Target (WID Jan 14 p8, Jan 6 p1, Dec 20 p1) has heightened anticipation of the final Wyndham decision, agreed those we interviewed. Since the data breaches, the FTC has stepped up its congressional outreach, urging both the House and Senate to expand and solidify the agency’s data security oversight role with rulemaking authority and the ability to seek civil penalties (WID Feb 4 p6). Senate Democrats Patrick Leahy of Vermont, Jay Rockefeller of West Virginia and Richard Blumenthal of Connecticut have introduced legislation that would do that in varying degrees (WID Feb 6 p5).

But lawyers and academics, including Calo and Feldman, caution the Wyndham case could take three years or more to fully resolve itself. Wyndham’s legal arguments have focused heavily on whether the FTC has regulatory authority over data security -- an argument unlikely to prevail in court according to several lawyers -- and not whether the commission has given fair notice of its data security expectations. “The real elephant in the room isn’t whether [the FTC has] regulatory authority or not, but the judicious exercise of that authority in a way that is consistent within constitutional requirements and sound public policy,” said Wilson Sonsini Internet privacy attorney Gerry Stegmaier, whose firm was one of several that assisted Wyndham in connection with the FTC’s original investigation. That issue is unlikely to be fully addressed for years, if at all, observers said.

Regardless of how the case is resolved, the final ruling could do little to alter or further define FTC jurisdiction, potentially spurring Congress to step in, stakeholders said in interviews. “If the FTC loses in Wyndham, I expect we'd see much more motivation for Congress to explicitly grant the FTC rulemaking authority for data security,” said Cumberland School of Law Assistant Professor Woodrow Hartzog, who specializes in privacy law. “In the long run, the FTC can’t really lose,” Stegmaier said.

In June 2012, the FTC sued Wyndham Worldwide alleging data security failures had resulted in three data breaches over two years (WID June 27/12 p9) (http://1.usa.gov/1fCSeH1). The commission claimed Wyndham’s privacy policies were both unfair and deceptive, misrepresenting the company’s data security measures and violating the FTC Act. FTC data security complaints normally end in consent decrees, but Wyndham became the first company to legally challenge the FTC’s authority to act on data security cases.

In August 2012, Wyndham filed a motion to dismiss (http://bit.ly/1hKEEST) on the grounds Congress hadn’t given the FTC jurisdiction over companies’ data security. “The FTC’s novel legal theories in this case have no basis in law or logic,” the motion said. TechFreedom (http://bit.ly/1itiUb7) and industry groups including the U.S. Chamber of Commerce, Retail Litigation Center, American Hotel and Lodging Association and the National Federation of Independent Business (http://bit.ly/1kVVUCx) filed amici briefs in support of Wyndham.

Wyndham’s Three-Pronged Challenge

Wyndham is challenging the FTC from three angles, according to several lawyers: Whether the commission has jurisdiction over companies’ data security; whether it provided fair notice of its data security expectations; and whether the agency should have higher pleading standards to bring data security complaints. Wyndham’s filings and oral argument have touched on all three points, but the motion to dismiss is mostly rooted in whether the commission has authority at all. Ifrah lawyer Michelle Cohen, an Internet privacy specialist, said that “I'm not sure the administrative procedure angle has been pushed to the forefront.” Berin Szoka, president of TechFreedom and a former practicing Internet and communications lawyer, told us, “I don’t think the parties really got into the pleading standards” in oral argument. U.S. District Judge Esther Salas noticed the jurisdiction focus during Nov. 7 oral argument in Newark, N.J. “A lot of your arguments focus around Brown & Williamson,” she said, referencing a 2000 Supreme Court decision in Food and Drug Administration v. Brown & Williamson Tobacco Corp.

Brown & Williamson challenged the FDA for presuming authority over, and thus the ability to regulate, tobacco after the agency defined nicotine as a “drug” and cigarettes as “combination products,” according to then-Justice Sandra Day O'Connor’s majority opinion (http://bit.ly/1mwwjnO). The opinion ruled the FDA didn’t have the ability to regulate tobacco and cigarettes, because Congress hadn’t given the agency that authority, and never expressed intent to do so.

Of Wyndham’s three arguments, Brown & Williamson is the least likely winner, Szoka said. Salas also seemed skeptical during oral argument, calling the Brown & Williamson case “distinguishable” from Wyndham’s case. She asked one of Wyndham’s lawyers, Eugene Assaf of Kirkland & Ellis, to “tell me why this case, you feel, is so on point.” Assaf countered: “It is hard to believe that Congress would have ceded this debate” over data security oversight “to an agency when the statute [granting the FTC authority] is either silent or ambiguous.” Kevin Moriarty, an FTC attorney within the Privacy and Identity Protection Division and the lead government attorney in the case, argued the commission has authority whenever consumers are harmed. “If consumers are injured, then of course we have jurisdiction because unfairness applies when consumers suffer substantial injury,” he said. “So that is sort of, that is the groundwork of all these cases.” The Brown & Williamson case was “not anything like the conflict we are talking about here,” he said.

An argument over FTC jurisdiction doesn’t necessarily require the time- and cost-intensive discovery phase, Szoka said. In a fair notice argument, the court would want to dig through Wyndham’s emails and communications to determine the company’s awareness of FTC data security standards, Szoka said. Salas echoed this sentiment during oral argument when Assaf brought the fair notice concept. “Don’t we have to let discovery play out before one can stand at a dispositive stage and say we didn’t have adequate notice?” she asked Assaf. “Many of the arguments you are making to me sound like they are going to be appropriately made at a later juncture."

With observers wary that Salas will approve the motion to dismiss, several have noticed Wyndham building a case for appeal. Wyndham convinced Salas to delay her ruling in the case in late December so both sides could submit comments on Commissioner Josh Wright’s testimony before the House Commerce, Manufacturing and Trade Subcommittee (WID Dec 4 p1) in which Wright reiterated his case for Section 5 clarification. “The historical record reveals an unfortunate gap between the theoretical promise of Section 5 as articulated by Congress and its application and practice by the FTC,” he said. “The gap has grown large, in part, due to the persistent absence of any meaningful guidance articulating what constitutes an unfair method of competition.” These statements have “bearing on defendants’ motions to dismiss,” Wyndham wrote in a Dec. 13 letter to Salas: They “will assist the court in rendering a decision.”

Wright was commenting only on the scope of FTC competition authority, the FTC said in its response. The FTC’s case against Wyndham is a consumer protection case, it said. Wyndham’s “representation” of Wright’s comments “is misleading,” the FTC said. Stegmaier interpreted Wright’s comments as his saying, “Look, there’s an element of realpolitik here that the agency can, does and has used to its advantage,” Stegmaier said. “But that doesn’t necessarily mean that’s what’s best for consumer protection. It’s an example of the adversarial system at work where one side has enormous advantages.” It’s an “important debate,” but not one necessarily unfolding in the Wyndham case, Stegmaier said.

The sides have since volleyed back and forth with responses on other issues raised during oral argument. “It’s an example of the parties building a record for appeal,” Stegmaier said. Ifrah’s Cohen agreed: “There’s probably plenty of open issues,” she said. Each side could be “laying the groundwork” for a prolonged case. “It’s difficult to obtain a motion to dismiss,” she said: But “Wyndham is definitely pulling out its guns.” As is the FTC: “I don’t see the FTC going down quietly,” she said.

Assaf seemed resigned during oral argument to a discovery process: “The FTC will never ever worry about a motion to dismiss under their view. All they have to say is we alleged unreasonable security practices -- let’s go forward with discovery. That is all they have to allege, no matter what the violation is."

Which means Wyndham will likely get a chance to raise the issue of fair notice after discovery, Szoka said. But the company may have missed its best chance to press the point on FTC pleading standards in data security cases, he said. “The only argument that was easier for them to make now is that the pleadings aren’t adequate” because the case was still in its first stages, he said. Szoka thinks it was a missed opportunity. When bringing the case, the FTC alleged the data breach had resulted more than $10.6 million in fraud loss. That doesn’t necessarily imply direct consumer financial harm, Assaf argued. Banks and credit card companies, not consumers, bear those fees, he said during oral argument. The FTC had separately alleged “unreimbursed fraud charges,” or payments illegally charged to a consumer’s account, said Moriarty. “We are not saying $10.6 million in unreimbursed fraud charges, but we do allege separately that there were unreimbursed fraud charges."

It wasn’t specific enough, Szoka said. The FTC hasn’t “satisfied what should be their standard of pleading” for alleging deceptive and unfair practices, he said. Fraud generally has a heightened pleading standard in court, he said. “You would think that would include deception,” but “the FTC thinks that should only apply to common law fraud,” Szoka said. “They claim it doesn’t apply to deception cases.” Wyndham failed to drive home this argument in oral argument, he said.

Wyndham to Revisit Jurisdiction Issue

Wyndham will get to revisit its main argument -- lack of FTC jurisdiction -- and the fair notice argument after discovery, several lawyers said. Discovery could bolster Wyndham’s chances, Szoka said. “In a sense, it is easier for Wyndham because the FTC has to finally explain its arguments."

"Fair notice” is an amorphous term and interpretations differ widely. But it has great legal importance, Stegmaier said. “The fair notice doctrine is not a trivial, academic legal theory with little bearing on the practice of law,” wrote Stegmaier and Wilson Sonsini data security lawyer Wendell Bartnick in a November article for the Journal of Internet Law, which DLA Piper Internet and copyright lawyer Mark Radcliffe oversees. “On the contrary ... the doctrine is directly relevant to the current regulatory climate."

Essentially, fair notice is how the FTC uses its various tools -- staff reports, workshops, enforcement actions -- to inform the business community and public about its views and expectations, according to lawyers and speeches from several commissioners. FTC officials maintain the commission has effectively and efficiently used these tools, pointing to workshops on topics like the Internet of Things (WID Nov 21 p4), a 2012 commission report on privacy (http://1.usa.gov/1p11Flw) and the commission’s 50 data security enforcement actions (WID Feb 3 p15). Chairwoman Edith Ramirez and other FTC officials have brought this message to Capitol Hill during multiple hearings in recent weeks (WID Feb 5 p1, Feb 6 p5).

Several lawyers said the FTC’s workshops avoid serious legal issues. Commission reports suggest best practices without giving concrete guidelines and enforcement actions are “regulation by settlement as opposed to the formal processes,” Cohen said. “Workshops they've done have touched on the topic of data security occasionally, but they have not actually held a workshop on it since 2007,” Szoka said. When LabMD’s Daugherty was confronted with a possible consent decree over a data security enforcement action, “They won’t tell you anything,” he said. “They're masters of silence. It’s like playing poker. They just hand you other people’s consent decrees."

"The commission has made clear,” Ramirez said Feb. 5 before the House Subcommittee on Trade, “that it does not require perfect security; that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law."

Judge Salas “seems to think very strongly the question of notice is a subjective question,” Szoka said. It shouldn’t be, Stegmaier said. The FTC has “a wealth of tools available to them that they've used in many other contexts they're not using on data security,” he said. “Their rationale for that is that their settlements provide guidance. But in the same breath they will also say those only apply to the individual case.” Szoka agreed, saying he believes Salas “is likely to make an error” on fair notice. Even if the FTC is meeting its legal standard of fair notice, Stegmaier said, “the crux of the matter is the distinction between better practice and legal requirement. The view of industry is there is plenty of room for improvement in articulating those distinctions at the agency."

Looking at the specifics of Wyndham, this argument doesn’t hold up, said Derek Bambauer, a University of Arizona Internet law professor. The complaint “that there is insufficient notice about what constitutes reasonable cybersecurity practices, such that it would be hard for a firm to predict its risk of liability in advance ... seems weak to me,” he said. “If Wyndham’s practices were anything like the allegations contained in the FTC complaint, any sensible company could have predicted that they were unreasonable.”

If the case moves to discovery and Wyndham is unable to effectively make its pleadings or fair notice argument, the trial “gets down to the merits of the case,” Szoka said. Which puts Wyndham at a disadvantage, he said. “Wyndham’s on stronger ground if the case is resolved on those pleading and fair notice questions."

Ruling Could Alter Security Landscape

"The Wyndham case is very important because there is no one single law in the United States that governs data security,” said Cumberland Law School’s Hartzog. Even if Wyndham’s prospects seem bleak, a ruling in Wyndham’s favor could alter the data security regulatory landscape, several lawyers said. “Wyndham is challenging the FTC’s statutory authority to regulate cybersecurity -- and, in particular, to regulate outside the confines of some sort of agreement or promise to consumers regarding cybersecurity,” Bambauer said. The FTC can use the standards of unfair or deceptive practices when bringing data security cases. If the judge strips the FTC “of its authority to police unfair data security practices” in a ruling, it would narrow the FTC’s data security enforcement ability, Hartzog added. The commission has settled 50 consent decrees in data security complaints; as of November, 17 of those alleged unfair practices as part of the complaint, according to Stegmaier and Bartnick’s article. Wyndham case discussions have largely targeted the FTC’s unfairness authority in data security cases, although the commission alleged both unfairness and deceptive practices in its complaint.

Companies with recent high-profile data breaches, like Snapchat and Target, “have real interest in this litigation,” Bambauer said. Hartzog said a ruling striking down the commission’s ability to exclusively allege unfairness “would make a complaint against these companies for the recent data breaches less likely, absent a deceptive representation about their data security practices.” That’s if Congress doesn’t step in, which it might, several lawyers said. “If the court ruling is unfavorable, it just lends immediate support to calls for greater FTC authority from Congress,” Stegmaier said.

Any ruling against the FTC would likely be issued “in a more narrow manner,” Cohen said. “The court is probably concerned” that if it vacates the FTC’s authority completely, “who is going to regulate? Is it the Wild Wild West?” she said. Many observers would like to see the court clarify regulatory authority. “It would be great if the court did address it,” Cohen said. “I'm not sure the court is going to go that far."

An FTC triumph rubber-stamps the commission’s increasing data security role, said several lawyers. “If they win ultimately -- if it’s litigated to a final judicial decision that is favorable to the agency -- then they're able to continue apace with what they're doing,” Stegmaier said. At the FTC IoT workshop, Ramirez said that “companies that don’t pay attention to their security practices may find that the FTC will.” A commission win “more or less ratifies her case,” said the University of Washington’s Calo.

It’s “safe to say” the court “will give a fair amount of discretion to the FTC,” Szoka said. With a dearth of case law to guide the court, it will likely give deference to the commission, he said. Regardless of the outcome, the case will continue to focus attention on how the FTC defines its unfairness standard, Szoka said. Ultimately, “we don’t really know,” he said. “It’s never happened before.”