Federal Trade Commission (FTC) v. Wyndham Worldwide Corp., et al.
Media: "Legal Showdown on Cybersecurity" (5/13/13)
Blog Post: "FBI Says, Expect To Be Hacked; FTC Says, Expect Us To Sue You" (10/24/12)
Blog Post: "FTC, Stop Punishing Hacking Victims" (10/5/12)
CASES RELATED BY THIS ISSUE
U.S. Chamber amicus brief challenges FTC's pattern of punishing businesses that are victims of criminal hacking
The U.S. Chamber led a coalition including the Retail Litigation Center, American Hotel & Lodging Association, and National Federation of Independent Business to urge the U.S. District Court for the District of New Jersey to grant the defendant company's motion to dismiss the FTC's lawsuit that claimed the defendant companies engaged in "unfair" trade practices because they allegedly lacked "reasonable" data security measures to prevent hackers from breaching its data defenses. According to the amicus brief, the FTC has a pattern of abusing its "unfairness" authority to effectively set and enforce nationwide general data-security public policy through ad hoc enforcements.
The Chamber's amicus brief explains that over the last several years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked. Because FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.
The FTC's conduct raises serious due process concerns, is not supported by any statutory grant of authority from Congress, and chills e-commerce and innovation. The brief reiterates that the Chamber and its members are committed to improving data security, but that the FTC's approach wrongly punishes the victims of cyber hacking attacks, without providing businesses fair notice of what is expected of them.
The FTC’s regulation by consent order has a particularly pernicious impact on small businesses. Because they have no way of knowing in advance what the FTC considers commercially “reasonable” data security measures, many small businesses must divert scarce resources away from addressing cybersecurity breaches to retaining legal counsel in anticipation of and response to potential FTC investigations and enforcement actions. Many other small businesses lack the resources to retain legal counsel, which gives the FTC additional leverage to compel so-called voluntary submission to consent decrees. Not surprisingly, a significant number of the FTC’s data-security consent decrees have been with small and independent businesses. In addition to imposing exorbitant costs, the FTC’s regulatory approach shifts the attention of small business personnel away from managing and growing their businesses to responding to intrusive FTC investigations.
Previously, the Chamber filed in the same case in the District of Arizona federal court, which was transferred to New Jersey.
The Court denied Wyndham Worldwide's motion to dismiss.
U.S. Chamber amicus brief in support of motion to dismiss in Arizona district court filed 10/5/12. Motion to transfer venue to the District Court for the District of New Jersey granted on 3/25/13. U.S. Chamber amicus brief and IFA amicus brief in support of motion to dismiss filed in New Jersey district court 5/3/2013. FTC Response Briefs filed 5/20/13. Wyndham Hotels and Resorts and Wyndham Worldwide response briefs filed 6/10/13. Defendants requested oral argument 6/12/13. Motion for Leave to File Amicus Brief Granted 7/17/13. Decided 4/7/2014.