State AG Enforcement Of Data Security Breaches Expected To Increase Following Recent Federal Court Decision Empowering The Federal Trade Commission To Bring Suit

Last week, a highly anticipated question in data privacy was finally answered, clarifying the power of the Federal Trade Commission (FTC) to oversee commercial data security practices and to sue businesses that fail to secure customer information adequately from data breaches. F.T.C. v. Wyndham Worldwide Corp., CIV.A. 13-1887 ES, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). Refusing to "carve out a data security exception" from the FTC's authority, U.S. District Court Judge Esther Salas held that the FTC's enforcement powers under Section 5 of the Federal Trade Commission Act of 1914, 15 U.S.C. 45(a) ("FTC Act") (prohibiting unfair or deceptive trade practices) extends to data breaches. Because State Attorneys General (AGs) have often been granted similar consumer protection authority under their state unfair and deceptive trade practices statutes, (UDAP statutes, commonly known as "mini-FTC Acts" which are largely analogs of the FTC Act), we can expect this decision to similarly empower AGs to sue companies for data breaches.

The FTC sued Wyndham Worldwide Corporation and its subsidiaries (collectively, Wyndham) over three data breaches of company computer systems alleged to have occurred between April 2008 and January 2010 that resulted in the loss of personal and transactional data for over 619,000 customers and over $10 million in losses to fraud. The FTC's complaint alleged that Wyndham violated the FTC Act's unfair trade practices prohibition due to its "failure to implement reasonable and appropriate security measures exposed consumers' personal information to unauthorized access, collection, and use" that "caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses."

Wyndham moved to dismiss the FTC's claims, arguing that Congress had not authorized the FTC to broadly regulate data security because of its enactments of industry-specific laws which contain data security standards, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children's Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act of 1996. The court found that these statutes did not contain consumer injury provisions and therefore did not conflict with FTC authorization under the FTC Act which could preclude Section 5 enforcement in the field.

Wyndham also argued that the FTC authority violated basic principles of fair notice and due process...