Over the last nine years, the FTC has brought four dozen enforcement actions alleging that a failure to have reasonable data security was unfair and/or deceptive. Last year, Wyndham Hotels became the first company to refuse to settle such charges, forcing the FTC to litigate. The case has languished for thirteen months, but yesterday the court finally announced a date for oral arguments on Wyndham’s motion to dismiss: November 7 at 11 a.m. in Newark. Once we have the transcript, we’ll report back with what the judge’s questions, and answers from both sides, say about how the court might resolve this important case.
At a minimum, we’d like to see the court dismiss the FTC’s complaint as inadequately pleaded, and require the FTC to file a new complaint that better explains the FTC’s legal justification using its unfairness powers to require “reasonable” data security.
But even re-filing won’t solve the more fundamental problem: providing companies sufficient guidance as to what “reasonable” data security practices would be. That’s required by the due process doctrine of “fair notice.” The Commission has claimed that its “common law of consent decrees” should offer ample guidance, but as our amicus brief explains, “these settlements are devoid of doctrinal analysis and offer little more than an infinite regress of unadjudicated assertions.”
If the court actually reaches these kind of due process issues, you can bet the FTC will pull the fire alarm asking Congress to pass data security legislation immediately. That may not be a bad thing, and it could certainly catalyze a long-overdue conversation in Congress about how the FTC should operate. Stay tuned for more from us on that score.
Meanwhile, check out the video of our recent event on data security focused on the case of LabMD, which recently became the second company to challenge an FTC data security enforcement action.