It is a dangerous world out there. Among many other things, companies and other organizations are increasingly vulnerable to data security attacks from would-be hackers. Indeed, an April 8, 2014 New York Times article entitled “Hackers Lurking in Vents and Soda Machines” (here) notes that “companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest places for vulnerabilities.”
According to the article, in recent incidents hackers have gained access to sensitive data through all kinds of internal systems, including “heating, ventilations and air-conditioning ; billing; expense and human-resource management systems; graphics and data analytics functions; health insurance providers; and even vending machines.”
As if it were not enough that companies and other organizations have to contend with the possibilities that the hackers are coming at them from just about every conceivable direction, the companies must also face the possibility that if they are subject to a successful hack, they may have to face an enforcement action from governmental regulators over the breach and its consequences.
In an April 7, 2014 decision (here), in a test case of the agency’s authority, District of New Jersey Judge Esther Salas confirmed the authority of the Federal Trade Commission to pursue an enforcement action against Wyndham Worldwide Corp. and related entities alleging that the company and its affiliates had failed to make reasonable efforts to protect consumers’ private information.
Background
The FTC alleges that between April 2008 and January 2010, intruders gained unauthorized access to Wyndham’s computer network on three occasions, on each occasion accessing sensitive personal information stored in Wyndham’s hotel property management system. The agency also alleges that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise” of its network. The FTC alleges that the data breaches resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia, allegedly causing fraudulent charges and more than $10.6 million in fraud loss.
As discussed here, the FTC filed a complaint against Wyndham and its related entities alleging that the defendants’ alleged failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information violated the prohibition in Section 5(a) of the Federal Trade Commission Act of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” The FTC’s lawsuit seeks to compel the company to improve its security measures and to remedy any harm its customers have suffered.
The defendants moved to dismiss, arguing that the FTC does not have the authority to bring an unfairness claim involving data security; that fair notice principles require the agency to promulgate regulations before brining this type of an unfairness claim; and that the FTC’s allegations are pleaded insufficiently to support either an unfairness or deception claim.
The April 7 Ruling
In a detailed, 42-page opinion, Judge Salas denied the defendants’ motion to dismiss and rejected the hotel chain’s arguments that the FTC does not have the authority to regulate data-security practices or that the agency has to issue regulations before bringing a data breach enforcement action. She also held that the FTIC’s allegations were sufficient to state a claim for purposes of the motion to dismiss.
Before considering the question of whether the FTC had authority to bring the action, Judge Salas noted that “we live in a digital age that is rapidly evolving – and one in which maintaining privacy is, perhaps, an ongoing struggle.” This environment “raises a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.”
In contending that the FTC did not have the authority to regulate data security and therefore to bring the enforcement action, Wyndham argued that various measures Congress has enacted give certain federal agencies the authority to establish minimum data-security standards in various sectors of the economy, in effect carving out a data-security exception to the FTC’s unfairness authority by its specific statutory specifications.. Judge Salas found that the data-security legislation “seems to complement – not preclude – the FTC’s authority” and that in any event the legislation actions “do not call for a data-security exception to the FTC’s unfairness authority.”
As for Wyndham’s argument that fair notice requires the FTC to issue rules and regulations before it can file an unfairness claim, Judge Salas noted that “Circuit Courts of Appeal have affirmed FTC unfairness actions in a variety of contexts without preexisting rules or regulations specifically address the conduct-at-issue.” Moreover, she said she could not accept “the untenable consequence of accepting” Wyndham’s argument, that the FTOC would have to cease bringing all unfairness actions without first prescribing particularized prohibitions – “a result that is in direct contradiction with the flexibility inherent in Section 5 of the FTC Act.”
Finally, with respect to Wyndham’s argument that the FTC’s complaint did not satisfy minimum pleading requirements because, among other things, it did not specify how the consumers had suffered the requisite “substantial injury.” Judge Salas concluded that the FTC’s complaint sufficiently pleads both an unfairness claim and deception claim under Section 5 of the FTC Act.
Judge Salas emphasized, with respect to her rulings, that “the Court does not render a decision on liability today,” and she further emphasized that her decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Instead, she said, she her decision only “denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage – in view of binding and persuasive precedent.”
Discussion
Though Judge Salas took pains to emphasize that ruling was narrow and addressed only to the specific matter and issues before her, her decision does nevertheless have “broad ramifications for the liability of companies whose security systems are breached,” according to an April 7, 2014 Wall Street Journal article about the ruling in the Wyndham case (here).
According to the Journal, the FTC has brought dozens of data-security cases, but “the overwhelming majority of them have produced out-of-court settlements, meaning judges were never asked to weigh in on the agency’s powers.” The article quotes the FTC’s chair, Edith Ramirez, as saying that the ruling confirms the agency’s ability to “hold companies accountable for safeguarding consumer data.” It also quote her as saying “Companies should take reasonable steps to secure sensitive consumer information,” adding that “when they do not, it is not only appropriate but critical that the FTC take action on behalf of consumers.”
By now, most company officials are aware that a significant data breach can be disruptive and expensive for their companies and can be a public relations disaster. In addition to these problems, a significant data breach can also have litigation consequences as well. As I noted in a recent post, following Target’s recent high profile data breach, the company’s directors and officers were hit with a shareholders derivative suit. And as the FTC’s Wyndham case shows, companies experiencing significant data breaches at least potentially could face a civil enforcement action from the FTC, and perhaps other regulators as well. Not only does this case affirm the FTC’s authority to bring these types of actions, but the statement of the FTC chair make it clear that the agency intends to pursue more of these kinds of actions on behalf of consumers.
For publicly traded companies, these kinds of regulatory actions may present insurance challenges. The only defendants in this action were the corporate parent company and certain of its operating subsidiaries. In a public company D&O policy, the corporate entity is provided coverage only for securities claims. Because the FTC’s enforcement action did not allege violation of the securities laws, an FTC action of this kind would not trigger the entity coverage found in most D&O policies.
While private company D&O insurance policies provide broader entity coverage, private company policies also often contain so-called “antitrust” exclusions that broadly preclude coverage for claims involving allegations of unfair or deceptive trade practices. The exclusions in some carrier’s policies expressly preclude coverage for claims under the Federal Trade Commission Act. Some carriers will remove these exclusion upon request, but others will not, while yet others will only provide so-called antitrust coverage on a sublimited basis, or on a defense cost only basis.
Many carriers now offer separate cyber risk insurance policies that include third-party liability protection. The third-party liability protection available under these cyber risk policies usually include insurance protection for actions brought by regulators following a data breach, including even coverage for regulatory fines and penalties where insurable. However, the third-party regulatory protection available under many cyber risk policies is often subject to a sublimit.
The threat of a significant cyber breach presents a significant risk for companies and Increasingly these risks include the possibility of litigation following a data breach — including the risk of litigation brought by shareholders or by regulators. These data breach litigation risks in turn may present potentially complex insurance coverage issues, which underscores the need for companies to consult with knowledgeable insurance advisors in connection with these developing litigation exposures.