On April 7, 2014, the District Court held that the Federal Trade Commission (“FTC”) has authority to bring an unfair trade practice claim involving data security without formally issuing regulations before bringing such claim.
Defendants used a computer system that handled reservations and payment card transactions while storing consumers’ personal information, “including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.”
After several data breaches which — according to FTC — resulted in more than $10 million in fraud losses to consumers, Defendants “failed to provide reasonable and appropriate security for the personal information collected”. According to the FTC, Defendants violated Section 5 of the FTC Act prohibiting “unfair and deceptive acts or practices” and sought a permanent injunction to prevent future violations of the Act, as well as certain other reliefs.
Defendant filed a motion to dismiss raising, among others, the following three issues.
First, Defendants challenged “the FTC’s authority to assert an unfairness claim in the data-security context”, because “the FTC does not have the authority to bring an unfairness claim involving data security.” Because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, COPPA) it did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”
Second, Defendants asserted that “the FTC must formally promulgate regulations before bringing its unfairness claim…without promulgating such regulations, the FTC violates fair notice principles”. However the Court held that agencies like the FTC need not formally issue regulations before bringing unfairness claims. “The FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions – a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”
Third, Defendants argued that the FTC’s allegations were pleaded insufficiently to support an unfairness claim. However, the court concluded that the FTC’s allegations that “data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers” were sufficient to plead an unfairness claim under the FTC Act.
In deciding the case, the Court remarked that it “does not render a decision on liability today. Instead, it resolves a motion to dismiss a complaint. A liability determination is for another day. And this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
The full text is available here
Applicable law: 15 USC 45