Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010. The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham, was whether the FTC had the power to bring an unfairness action for data breaches (1) when there are already specific data breach laws over which the FTC has enforcement and regulatory authority, and (2) absent specific rulemaking by the FTC on what data security related actions might constitute unfairness/deception. The court denied the motion to dismiss, so the FTC’s case will go forward. Specifically, the court rejected Wyndham’s “invitation to carve out a data-security exception to the FTC’s unfairness authority.”
If you are an entity interested in what federal laws govern breaches of data security, or are advising companies on this issue, this is big news. Data breach law has tended to be state law heavy, since there is no single over-arching federal data privacy law governing how private companies maintain and protect consumer information (notwithstanding the currently pending – or stalled – Cyber Intelligence Sharing and Protection Act, or CISPA). Federal laws tends to be very subject matter specific – such as the Gramm-Leach-Bliley for financial issues or HIPAA for health information– and thus understanding the scope of an entity’s obligations under federal law involves first understanding whether a specific statute or regulation applies. But Wyndham suggests that, in fact, one size might very well fit all. Wyndham points to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter under much more general authority.
All of that said, Wyndham raises far more questions than it resolves. Given the case’s procedural posture and the rmaining questions before the court, the case is and might very well remain limited in its reach. But those of you concerned about developments in this area of law should keep it in mind: it could be a harbinger of things to come.