Third Circuit Affirms FTC’s Identity Theft Powers

by David Cosgrove

In a surprisingly unanimous decision, the Third Circuit held that the FTC could move forward on a deceptive practices claim against Wydham Worldwide Corp. The FTC alleges that it can hold the hotel conglomerate liable for failing to provide its customers with “reasonable protections against theft of online data.” (The Wall Street Journal, “FTC Can Target Firms for Lax Security,” Brent Kendall, 8/25/15, Sec. B-4)

According to The Wall Street Journal, Wyndham argued that the FTC’s suit was like a supermarket being sued for leaving banana peels out and about on the floor. For real? They made that argument? It should have been no surprise that they slipped and fell on that one.

The FTC’s deceptive practices hook in a series of data security cases is, according to its press release in this case: “to make sure that companies live up to the promises they make about privacy and data security.” Further, at least as to Wyndam, the company’s “privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumer’s personal information.”

I pulled the Amici brief Public Citizen, Inc. and others filed in the Third Circuit. It is really quite good, so I provide it to you with a link to it here. I think this quote captures the heart of it:

“When consumers transact business online, they entrust sensitive information—financial, medical, and other personal data, such as birth dates and even Social Security numbers—to the companies with which they do business. Recognizing the value of such consumer information, criminals seek to exploit vulnerabilities in companies’ computer systems. Sensitive consumer data such as credit or debit card numbers, bank account information, and Social Security numbers command large sums on the black market, as criminals can use this information to drain funds from bank accounts, make fraudulent purchases, apply for credit, and wrongfully obtain tax refunds or other government benefits. When such information is stolen, consumers expend money and time to, for example, dispute fraudulent transactions, notify their creditors of the identity fraud, and repair their credit. In some instances, consumers may be denied employment because of a damaged credit report, be unable to obtain low-cost credit, or be denied access to credit entirely, events that impair their chances of attaining or building their wealth through conventional means such as purchasing a home or financing an education. For these reasons, the Wyndham Appellants’ argument that the FTC did not plausibly plead a substantial injury to consumers has no merit. Although the injuries resulting from a data breach can be significant, private tort suits alleging such injuries are difficult to bring, and federal courts to date have not recognized a private remedy for consumers against companies where the companies’ failure to adequately ensure against network breaches enables theft of consumers’ data but that data has not yet been misused, to the consumers’ knowledge. Thus, FTC enforcement actions pursuant to Section 5 of the FTC Act, 15 U.S.C. § 45, against companies that fail reasonably to protect their consumers’ information from misappropriation are currently the only effective means of redressing the unfair corporate practices that lead to corporate data breaches that cause substantial injuries to consumers.” Amici Curiae brief, pp. 3-5

Pretty reasonable argument.

The attorneys at Cosgrove Law Group, LLC represent consumers as well as companies at the tip of a regulator’s spear. Call us if you need us.