Federal Trade Commission (FTC) v. Wyndham Worldwide Corp., et al.
Media: "Legal Showdown on Cybersecurity" (5/13/13)
Blog Post: "FBI Says, Expect To Be Hacked; FTC Says, Expect Us To Sue You" (10/24/12)
Blog Post: "FTC, Stop Punishing Hacking Victims" (10/5/12)
CASES RELATED BY THIS ISSUE
U.S. Chamber amicus brief challenges FTC's pattern of punishing businesses that are victims of criminal hacking
In the coalition brief, the Chamber asked the New Jersey District Court to certify Wyndham’s motion for interlocutory appeal because there are substantial grounds for genuine differences of opinion and early resolution of the issues presented in this case is critical. The brief argued that interpreting the FTC’s general authority and also the sufficiency of the Commission’s guidance about what constitutes commercially reasonable security measures would provide much needed clarification. The brief points out that an FTC investigation imposes substantial costs, including costs related to the production of documents and information responsive to the Commission’s requests. Moreover, companies currently struggle to translate clear standards from the FTC’s many consent orders and previous pronouncements on data security. With the greater certainty, businesses would be able to better allocate their scarce resources toward compliance with the multifaceted regulatory regime governing data security.
Catherine E. Stetson, J. Robert Robertson, Harriet P. Pearson, and Bret S. Cohen of Hogan Lovells US LLP represented the U.S. Chamber of Commerce as co-counsel to the National Chamber Litigation Center.
This brief was filed jointly with the American Hotel & Lodging Association and the National Federation of Independent Business.
The U.S. Chamber led a coalition including the Retail Litigation Center, American Hotel & Lodging Association, and National Federation of Independent Business to urge the U.S. District Court for the District of New Jersey to grant the defendant company's motion to dismiss the FTC's lawsuit that claimed the defendant companies engaged in "unfair" trade practices because they allegedly lacked "reasonable" data security measures to prevent hackers from breaching its data defenses. According to the amicus brief, the FTC has a pattern of abusing its "unfairness" authority to effectively set and enforce nationwide general data-security public policy through ad hoc enforcements.
The Chamber's amicus brief explains that over the last several years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked. Because FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.
The FTC's conduct raises serious due process concerns, is not supported by any statutory grant of authority from Congress, and chills e-commerce and innovation. The brief reiterates that the Chamber and its members are committed to improving data security, but that the FTC's approach wrongly punishes the victims of cyber hacking attacks, without providing businesses fair notice of what is expected of them.
The FTC’s regulation by consent order has a particularly pernicious impact on small businesses. Because they have no way of knowing in advance what the FTC considers commercially “reasonable” data security measures, many small businesses must divert scarce resources away from addressing cybersecurity breaches to retaining legal counsel in anticipation of and response to potential FTC investigations and enforcement actions. Many other small businesses lack the resources to retain legal counsel, which gives the FTC additional leverage to compel so-called voluntary submission to consent decrees. Not surprisingly, a significant number of the FTC’s data-security consent decrees have been with small and independent businesses. In addition to imposing exorbitant costs, the FTC’s regulatory approach shifts the attention of small business personnel away from managing and growing their businesses to responding to intrusive FTC investigations.
Previously, the Chamber filed in the same case in the District of Arizona federal court, which was transferred to New Jersey.
The Court issued an Order denying defendant Wyndham's motion to dismiss. The case was subsequently appealed to the U.S. Court of Appeals for the Third Circuit.
New Jersey District Court Briefing
U.S. Chamber amicus brief in support of motion to dismiss in Arizona district court filed 10/5/12.
Motion to transfer venue to the District Court for the District of New Jersey granted on 3/25/13.
U.S. Chamber amicus brief and IFA amicus brief in support of motion to dismiss filed in New Jersey district court 5/3/2013.
FTC Response Briefs filed 5/20/13.
Wyndham Hotels and Resorts and Wyndham Worldwide response briefs filed 6/10/13.
Defendants requested oral argument 6/12/13.
Motion for Leave to File Amicus Brief Granted 7/17/13.
Motion for interlocutory appeal granted 6/23/2014. The case has been appealed to the U.S. Court of Appeals for the Third Circuit.