A Challenge to the FTC’s Regulation of Data Security

May 13, 2013

Data privacyIn a case pending in the federal court for the District of New Jersey, hotel company Wyndham Worldwide Corporation is challenging the authority of the Federal Trade Commission (FTC) to regulate data security activities.  The outcome of this case could affect computer security and information privacy in the United Stated profoundly.

Originally filed by Wyndham in District Court for the District of Arizona in March 2013, the case was transferred to federal court in New Jersey.  Wyndham raises several arguments against FTC jurisdiction over data security.

This case arises out of an enforcement action initiated by the FTC against Wyndham and several of its subsidiary companies.  That action alleged that Wyndham data security failures resulted in fraudulent charges to customer accounts totaling more than $10.6 million.  The FTC also alleged that more than 500,000 customer account numbers were transferred to Russia as a result of the security breaches.

Wyndham claims that the FTC specifically recognized its lack of authority over data security when reporting to Congress in 2000.  The company also contends that Congress has directly enacted data security measures through legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), and that legislation of this sort reflects Congressional belief that the FTC and other regulatory agencies do not have broad authority over data security practices.  Wyndham also points to the failure of Congress to take any sort of broad action on data security as an indication of Congressional belief that such oversight is unnecessary and inappropriate.

The FTC responds that it has authority to require reasonable measures to protect the privacy of personal consumer information, and that enforcement actions of the kind initiated against Wyndham are necessary in order to protect consumer information.  The FTC argues that it has the ability to protect consumer privacy through oversight of data security in both rulemaking and enforcement actions.

Actions that restrict the ability of the FTC and other regulatory authorities to regulate data security operations are likely to have a profound adverse impact on personal privacy.  Oversight of data security policies, practices, and procedures is a vital component of the protection of personal privacy.

In addition, undermining regulatory review of data security measures and operations will likely substantially erode efforts to protect important proprietary economic information and national security secrets.  Data security practices play a vital role in commercial competitiveness and national security, as recent widely publicized allegations of cyber espionage raised against Chinese authorities illustrate.

Congressional inaction on the issue of data security does not demonstrate that the issue is insignificant.  Instead, that inaction illustrates the complexity of the issue and the shortcomings of Congressional processes.  Congressional inaction on broad data security measures underscores the significance of FTC authority and action to oversee data security practices.

The court in the Wyndham case should not impede FTC authority to take active enforcement and rulemaking actions in the fields of data security and information privacy.  The FTC is currently one of the few active guardians of information privacy and data security in the United States.  Actions that in any way reduce the effectiveness of the FTC in those fields would be reckless and completely contrary to the public interest.