Today, a federal court denied Wyndham’s Motion to Dismiss the FTC’s charges that the hotel chain failed to provide “reasonable” security for customer data. The District Court’s decision allows the FTC to continue collecting information under court-ordered discovery, but reserves until a motion for summary judgment or trial the underlying questions in the first-ever challenge to the FTC’s decade-long enforcement of data security (and privacy) issues through its Section 5 “unfairness and deception” authority.
“Today’s decision is not remotely surprising, but it also misses the point,” said Berin Szoka, President of TechFreedom, which filed an amicus brief in the case along with the International Center for Law & Economics and leading consumer protection scholars. “The court’s analysis explains at length what we never questioned: that the FTC’s sweeping authority over unfair and deceptive trade practices includes data security and that the FTC need not issue formal regulations before enforcing that authority. The court dodged the hard question: does the FTC’s body of roughly fifty unadjudicated settlements and a skimpy ‘guidance brochure’ provide adequate notice? Given that so few companies will challenge the FTC in court, does the FTC have too much discretion?”
The district court decision notes the “rapidly-evolving nature of data security” and quotes the Supreme Court’s 1976 decision in General Electric v. Gilbert: “the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.” The Wyndham decision omits the subsequent sentence: “The weight of such a judgment in a particular case will depend upon the thoroughness evident in its consideration, the validity of its reasoning, its consistency with earlier and later pronouncements, and all those factors which give it power to persuade, if lacking power to control.”
Szoka continued: “The court notes that Congress has prescribed a three-part standard for unfairness but fails to assess whether the FTC has, through a series of unadjudicated settlements, thoroughly or rigorously applied that standard, or whether the approach it has taken in reality a run-around of clear Congressional intent. We believe the FTC must do more to explain its analysis of both unfairness and deception, that, in most cases, it could do so in most cases without great difficulty, but that in hard cases, the future direction of the law must ultimately be up to the courts, not the three unelected FTC bureaucrats. We hope Wyndham will focus on these question in its appeal and at the motion for summary judgment. If the courts do not force the FTC to apply greater analytical rigor in what it increasingly calls a ‘common law’ of data security and privacy, it will fall to Congress to reform the FTC’s processes to ensure greater checks on the agency’s discretion.”
Szoka is co-author, along with Geoffrey Manne and Gus Hurwitz, of the FTC: Technology & Reform Project’s initial report, “Consumer Protection & Competition Regulation in a High-Tech World: Discussing the Future of the Federal Trade Commission,” which critiques the FTC’s processes and suggests areas where the FTC, the courts and Congress could improve how the FTC applies its sweeping unfairness and deception powers in data security, privacy and other cases, especially related to technology.
Szoka is available for comment at firstname.lastname@example.org.