Beleaguered companies suffering from data breaches got more bad news when a federal judge held that the United States Federal Trade Commission (the “FTC”) has the authority to regulate corporate cybersecurity practices. The FTC has been enforcing consumers’ privacy rights through enforcement actions under Section 5 of the FTC Act, which prohibits “unfair” or “deceptive” trade practices, since the 1990s, but it has been increasingly active in the data security area in recent years (see our coverage here). Historically, many of the FTC’s privacy enforcement actions have been settled out of court by consent decree. However, some of the recent consent decrees imposed significant monetary penalties and other onerous conditions – including up to twenty years of mandatory third-party audits of privacy practices – on settling companies. Target companies – including hotel chain Wyndham Worldwide (“Wyndham”) – had begun to push back on the FTC, arguing that it lacked the authority to regulate data security practices and that it was seeking to hold victim companies responsible for the actions of criminal hackers. A federal judge in the District of New Jersey rejected Wyndham’s argument this week, and refused to “carve out a data-security exception to the FTC’s authority” to protect consumers. In light of this ruling, and because the FTC has not published a standard set of data security practices, companies that handle personal data should educate themselves on the FTC’s previous complaints, consent decrees, and guidance to help avoid becoming the next target of an FTC enforcement action.
For additional information about the Wyndham opinion or regulatory issues that may arise in the event of a breach, please contact: