Setting the Bar in Cyberspace: How the FTC is Enforcing Standards That Protect Individuals Online

Sam Pellegrino
Monday, September 8, 2014

I.   The Dangers of Cyberspace are Changing, but All Cause Damage

            Cyber security is quickly changing in a multitude of ways.  As the international economy grows increasingly dependent upon the Internet as a means to conduct business, online criminals find new ways to target unsuspecting citizens.  Unauthorized users intrude upon U.S. corporate computer systems through a variety of methods, thereby causing significant damage to companies and individual citizens alike.  Criminals can access secured computer networks through ports, which allow entry and the ability to leak a wealth of secured information into the public.[1]  Using this information, these unauthorized users are then able to manipulate the hacked network for their own agenda; frequently causing harm to the companies and their customers.[2] Criminally-minded computer programmers have the ability to cause massive economic loss by designing and introducing “malware” to computer networks.[3]  Malware takes a variety of forms wherein each form is able to take advantage of an Internet user’s system and forcibly take control of the system without recourse.[4]  More so, these pieces of code do not cause minimal damage. The most economically damaging form of malware was the MyDoom virus, which caused over $38.5 billion in damages around the world in January 2004.[5]

II.  The FTC Takes the Lead Without Much Congressional Guidance

            Typically, the U.S. government has relied extensively on federal criminal law—such as with the enactment of the Computer Fraud and Abuse Act of 1986 (“CFAA”) and its subsequent improvement the Cyber Security Enhancement Act of 2002 (“CSEA”)—when dealing with the problems of cyber security.[6]  The CFAA[7] covers a variety of computer fraud and intrusion crimes, and imposes harsher penalties than it did prior to the revisions provided by the CSEA (as well several portions of the Patriot Act).[8]  The CFAA makes it unlawful for an unauthorized person to access a protected computer in order to obtain information, acquire something of value through fraudulent means, or damage the computer of another.[9]  The consequences of violating the CFAA only once can quickly result in up to five years imprisonment if the defendant intended to obtain financial advantage.  Furthermore, these laws also open the defendant up to lawsuits for compensatory damages.[10]  However, these acts are purely reactionary: assigning punishments for crimes that have been committed rather than seeking to regulate data security as a whole.

            In terms of actual regulation of data security, the most active form of government regulation has come from the Federal Trade Commission (“FTC”).[11]  The FTC became active in online privacy issues in 1995 when it first encouraged self-regulation of data security.[12]  The FTC hoped the industry would self-regulate and prevent the loss of finances through electronic commerce.[13]  Despite this encouragement from the FTC, companies were unable to protect the confidence of electronic commerce to the extent that the FTC intended.[14]  By the year 2000, it was widely recognized that despite market incentives to self-regulate—instituted by the FTC as a promotion of privacy policies on company websites—companies’ self-regulation was not meeting the expectations of the FTC.[15]  For example, the FTC could require a company to enforce its website policies under Section 5 of the Federal Trade Commission Act (“FTC Act”) to pursue deceptive practices,[16] but it could not force company websites to adopt a policy in the first place.[17]  The FTC began to propose legislation that would allow it to pursue specific privacy issues, but the chair of the FTC was replaced during President George Bush’s tenure before the legislation took hold.[18]  The next chairman, Timothy Muris, pushed the FTC to expand its existing powers under Section 5 of the FTC Act rather than pursue the new legislation.[19] As a result, the FTC used the “deceptive trade practices” area of the Act as law enforcement, not only against websites that did not follow their own website policies, but also against companies that had security breaches in their networks.[20]

            This has resulted in the FTC suing several companies for failing to adopt “reasonable security measures” to protect consumer financial data against intrusions by unauthorized users; however, the companies ultimately settled.[21]  The FTC argued that those intrusions alone could be defined as “unfair acts or practices” in violation of Section 5 of the FTC Act.[22]

III.  The Case of F.T.C. v. Wyndham Worldwide Corp.

            Recently, the FTC has filed a suit in the District of New Jersey against Wyndham Worldwide Corporation as well as its affiliates for several security breaches within the hospitality company, and the suit has survived a motion to dismiss.[23]  Wyndham Hotels licenses its name out to certain hotels under a franchise agreement, but requires those hotels to use its corporate network computer system to handle all transactions and customer financial information.[24]  Despite several hotels having their own unique websites, reservation information and financial transactions must be processed by the main system.[25]  From 2008 to 2010, Wyndham suffered three separate attacks on its system.[26]  These network attacks allegedly compromised more than 600,000 customers’ payment card numbers and resulted in more than $10.6 million in fraud losses.[27]  As a result, the FTC sued Wyndham and its corporate entities under Section 5 of the FTC Act, which prohibits deceptive trade practices if they cause consumers substantial injury that is neither reasonably avoidable by the customers nor outweighed by countervailing benefits.[28]

a.  Arguments For and Against Motion to Dismiss

            Wyndham moved to dismiss the FTC’s suit on three grounds.[29]  Firstly, Wyndham argued that the FTC lacks the ability to bring an unfairness claim in a security data context.[30]  Wyndham likened data security to the niche regulatory area of tobacco in FDA v. Brown & Williamson Tobacco Corp., thereby preventing the FTC from regulating it.[31]  In Brown, the Supreme Court held that in conjunction with Congress’ subsequent tobacco-specific legislation, “it is plain that Congress has not given the FDA the authority” to regulate tobacco products as customarily marketed.[32]  Furthermore, Wyndham argued that the FTC had disavowed the authority to regulate data security previously.[33]  The trial court rejected this argument because it would have carved out a data security exception to the FTC’s authority based on a case inherently dissimilar to this one.[34]  The Court explained that in Brown, unlike in this case, the issue depended on the inconsistency created when the FDA attempted to ban tobacco in clear contradiction to congressional legislation.[35]  Here, there is no such tension between the FTC and Congress: Wyndham “fails to explain how the FTC’s unfairness authority over data security would lead to a result that is incompatible with more recent legislation.”[36]  Rather, the Court stated, “ . . . subsequent data security legislation seems to complement—not preclude—the FTC’s authority.”[37]  Finally, the trial court rejected Wyndham’s argument that the FTC had disavowed the authority to regulate data security because Wyndham failed to provide FTC statements to that extent.[38]

            Secondly, Wyndham claimed that the FTC violated fair notice principles by bringing its lawsuit before creating formal regulations establishing standards for data security.[39] Wyndham argued that they should not be held accountable for violations without notice on the FTC’s part.[40] They reasoned, “[A]gencies cannot rely on enforcement actions to make new rules and concurrently hold a party liable for violating the new rule.”[41] In opposition, the FTC pointed out that doing so “would undermine 100 years of FTC precedent” because “the FTC could never protect consumers from unfair practices without first issuing a regulation governing the specific practice at issue.”[42] The Court rejected Wyndham’s argument because the FTC has the discretion to regulate either by rulemaking or by adjudication.[43] The flexibility inherent within the FTC Act is what allows the FTC to pursue unfairness actions in the absence of set regulations.[44] The trial court further noted that if it accepted Wyndham’s proposition, “the FTC would have to cease bringing any unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”[45]

            Finally, Wyndham moved to dismiss the claims on the grounds that the FTC failed to adequately allege that Wyndham’s conduct was “unfair” or “deceptive” under Section 5.[46] Wyndham argued that the practice must cause or be likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves.”[47] Wyndham claimed “consumer injury from theft of payment card data is never substantial and always avoidable.”[48]More specifically for the “unfairness” claim, Wyndham contended that because customers can rescind any unauthorized charges through their card issuer, the customers affected by the security breaches did not actually obtain injury.[49]  Furthermore, Wyndham added that any “incidental injuries that consumers suffered”—such as monitoring financial information—is insufficient.[50] For the “deception” claim, Wyndham argued that the FTC’s allegations of wrongdoing were merely “conclusory statements” that supposedly fell short of establishing a claim to relief.[51]  The Court rejected all of Wyndham’s arguments for both “unfairness” and “deception.” As for the argument that consumers did not suffer an injury, the Court held that it could not “make such a far-reaching conclusion regarding an issue that seems fact-dependent.”[52]  The FTC set forth various assertions with factual details that specified leaks in Wyndham’s security ultimately causing breaches, therefore the Court was justified in rejecting the argument that the FTC simply made conclusory statements..[53]  Without any valid arguments on the part of Wyndham, the district court denied the motion to dismiss.[54]

IV.  New Expansion of Government into Data Security

            Despite the penalties created by legislation like the CFAA, Congress has yet to pass rules and regulations in the field of data security that would bind the FTC in these matters.  The threat of cyber attacks is real, and the ever-expanding online world requires some kind of regulatory power.  The FTC has taken the position that receiving financial information from individuals and then failing to protect that information adequately from unauthorized users is an unfair practice. Insofar as dismissing such claims, the federal district court in Wyndham has supported the FTC.  If the Court continues to support the FTC, it could mean an expansion of power into the field of data security by the government and the establishment of industry standards enforceable by law.  Furthermore, the trial court’s decision preserved the FTC’s ability to pursue matters in adjudication or rule making. If the case stands, the FTC may no longer be limited to consent orders in this field and may be able to uphold data security standards in the absence of congressional legislation.[55]

V.  Conclusion

            The field of data security is rapidly evolving and the government is struggling to find the authority to regulate it.  The Wyndham case, if not overturned, is a large step for the FTC in grasping at some kind of regulatory law without further guidance from Congress.  By being able to extend adjudicating authority into the area of data security, it has the ability to set some kind of industry standard of reasonable behavior for online businesses and websites.  For consumers, it means a greater level of protection by the government in cyberspace.  Unfortunately, for smaller business owners, it could prove to be yet another bar to hurdle in starting and maintaining a business online with additional costs in maintaining a protected website.  Only with further litigation will this case prove to be a temporary success, or something more substantial.



*Sam Pellegrino is a May 2015 J.D. candidate at Rutgers School of Law—Camden.  He may be contacted by email at pellegrinosam@gmail.com.

[1] See Mark G. Milone, Hacktivism: Securing the National Infrastructure, 58 BUS. LAW. 383, 387 (2002).

[2] See, e.g., United States v. Aleynikov, 737 F. Supp. 2d 173, 174 (S.D.N.Y. 2010) ("[Defendant] copied, compressed, encrypted, and transferred to an outside server in Germany hundreds of thousands of lines of source code for the Trading System, including trading algorithms that determine the value of stock options”).

[3] See generally United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991) (explaining how the defendant transmitted a computer “worm” into a group of national networks that were connecting university, governmental, and military computers).

[4] Nathan Alexander Sales, Regulating Cyber-Security, 107 NW. U. L. REV. 1503, 1509–10 (2013). Malware includes pieces of code such as “viruses” (infects a software program, then uses that program to replicate); “worms” (programs that are able to replicate by themselves within a system); “logic bombs” (malware that is able to command a computer to execute a set of instructions under certain conditions); and distributed denial-of-service attacks (where a computer is able to disable a system by overloading it with traffic). Id.

[5] MyDoom Shows Vulnerability of the Web, NETWORK COMPUTING (Feb. 2, 2004, 3:00 PM), http://www.networkcomputing.com/careers-and-certifications/mydoom-shows-....

[6] See generally 18 U.S.C.S. § 1030 (West 2008).

[7]  Milone, supra note 1, at 389 (noting how the law protects the national infrastructure by “easing the restrictions placed on electronic surveillance” and by amending provisions of the Consumer Fraud and Abuse Act to increase penalties for cybercrimes).

[8] 18 U.S.C.S § 1 (2001 & Supp. 2003).

[9] See 18 U.S.C.S. § 1030(a)(5)(B)).

[10] Tara Mythri Raghavan, In Fear of Cyberterrorism: An Analysis of the Congressional Response, 2003 U. ILL. J.L. TECH. & POL’Y 297, 300 (2003) (citing 18 U.S.C. § 1030(g)).

[11] Michael D. Scott, The FTC, the Unfairness Doctrine, and Data Security Breach Litigation: Has the Commission Gone Too Far?, 60 ADMIN. L. REV. 127, 128 (2008).

[12] Id.

[13] Id.

[14] Id. at 130.

[15] See Steven Hetcher, The FTC as Internet Privacy Norm Entrepreneur, 53 VAND. L. REV. 2041, 2057 (2000). See also, Scott, supra note 11, at 130 n.19  (“The 2000 Survey, however, demonstrates that industry efforts alone have not been sufficient.”).

[16] Federal Trade Commission Act, 15 U.S.C. §§ 41-58 (2000) (explaining the FTC is allowed to "prevent persons, partnerships, or corporations” from using “unfair or deceptive acts or practices in or affecting commerce.”).  

[17] Scott, supra note 11, at 131.

[18] Id.

[19] Id.

[20] Id. at 134.

[21] See Complaint, BJ’s Wholesale Club, Inc., No. C-4148 (F.T.C. Sept. 20, 2005); see Decision and Order, DSW, Inc., No. C-4157 (F.T.C. Dec. 1, 2005); see also Decision and Order , CardSystems Solutions, Inc., No. C-4168 (F.T.C. Sept. 8, 2006).

[22] Scott, supra note 11, at 146.

[23] F.T.C. v. Wyndham Worldwide Corp., No. CIV.A. 13-1887 ES, 2014 WL 1349019, at *1 (D.N.J. Apr. 7, 2014).

[24] Id. at *2.

[25] Id.

[26] Id. .

[27] Id. at *3.

[28] Id. at *4.

[29] Wyndham, 2014 WL 1349019, at *1.  

[30] Id. at *4.

[31] See FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 161 (2000).

[32] Brown, 529 U.S. at 120.

[33] Wyndham, 2014 WL 1349019, at *5.

[34] Id. at *6.

[35] Id. (citing Brown, 529 U.S. at 137).

[36] Id.