This post was co-authored by Professor Daniel Solove.
The long-awaited federal district court opinion in FTC v. Wyndham was finally released last week. The U.S. District Court for the District of New Jersey rejected Wyndham’s arguments that the FTC lacks the authority to regulate unfair data security practices, that the FTC is required to issues rules before bringing an unfair data security complaint, and that the FTC failed to provide fair notice of what constitutes an unfair data security practice.
I blogged about the case here at LinkedIn last week.
Professor Woodrow Hartzog and I just published a more detailed analysis of the case in Bloomberg BNA Privacy and Security Law Report.
For more background about the FTC’s privacy and data security enforcement activity, see our article, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014).
Here are some key quotes from the FTC v. Wyndham decision:
1. “[T]he FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.” (p.12)
2. “[T]he Court must consider the untenable consequence of accepting Hotels and Resorts’ proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.” (p. 25)
3. “Indeed, ‘the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.’ Gen. Elec. Co. v. Gilbert, 429 U.S. 125, 141-42 (1976) (emphasis added). . . .” (p. 24)
4. “Although the court is not convinced that non-monetary harm is, as a matter of law, unsustainable under Section 5 of the FTC Act, the Court need not reach this issue given the substantial analysis of the substantial harm element above.” (p. 28, footnote 15)
5. “[A]ccepting Hotels and Resorts’ position leads to the following incongruous result: Hotels and Resorts can explicitly represent to the public that it ‘safeguard[s] . . .personally identifiable information by using industry standard practices’ and makes ‘commercially reasonable efforts’ to make collection of data ‘consistent with all applicable laws and regulations’—but that, as a matter of law, the FTC cannot even file a complaint in federal court challenging such representations without first issuing regulations.” (p. 38)