Federal Trade Commission

ftc1One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has recurred in consumer cybersecurity-related damages actions and it has also arisen in regulatory enforcement actions as well. These issues were presented in a very interesting July 29, 2016 Opinion from the Federal Trade Commission (here). The Commission overturned a prior ruling by one of its own Administrative Law Judges, and held, contrary to the ALJ, that the release of private and sensitive information in and of itself was sufficient – even in the absence of alleged economic or physical injury — to support a claim against LabMD that its failure to prevent the information’s release constitutes an “unfair” practice. The FTC’s July 29, 2016 press release about the agency’s ruling can be found here.  As the WSJ Law Blog noted in a July 29, 2016 post (here), the FTC’s ruling sets the stage for a “high stakes federal court battle” on the issue of what kind of alleged injury is sufficient to support cybersecurity-related unfair practices claim.
Continue Reading FTC Holds Private Information Disclosure In and Of Itself Sufficient Injury to Support Unfair Practices Claim

wyndham worldwideAccording to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information.  As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action

ftcFollowing the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.

In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
Continue Reading FTC Data Breach-Related Enforcement Action Dismissed Based on Lack of Alleged Consumer Harm

third circuit blueOn August 24, 2015, in a ruling that was much-anticipated because of its potential implications for the regulatory liability exposures of companies that have been hit with data breaches, the Third Circuit affirmed the authority of the Federal Trade Commission to pursue an enforcement action against Wyndham Worldwide Corp. and related entities alleging that the company and its affiliates had failed to make reasonable efforts to protect consumers’ private information. This ruling confirms that, in addition to the disruption and reputational harm that may follow in the wake of a successful cybersecurity, companies may also face a regulatory action from the FTC as well, as discussed further below. The Third Circuit’s opinion can be found here. The August 24, 2015 statement of the FTC’s Chair about the Third Circuit’s opinion can be found here.
Continue Reading Third Circuit: FTC May Pursue Data Breach Enforcement Action against Wyndham Worldwide