In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI DSS) and annual independent audits to confirm compliance.

PCI compliance has apparently become a topic of great interest to the FTC, and it has now issued an Order to nine PCI DSS auditors pursuant to Section 6(b) of the FTC Act, seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy. The companies have been given 45 days to respond with a “Special Report” containing information, documents, and items responsive to the Order. According to the FTC’s  Press Release regarding the Order, “[i]nformation collected by the FTC will be used to study the state of PCI DSS assessments.”

The Order contains a number of requests with upwards of 38 subparts, and specifically seeks both information and documentation regarding PCI auditing activities from January 2013 through the present, including:
Continue Reading Following its Settlement with Wyndham, the FTC Launches Wide Scale Inquiry Into PCI Compliance Audits

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.
Continue Reading Third Circuit Upholds FTC’s Authority in Wyndham Case

A New Jersey federal court is allowing the FTC’s case against Wyndham Worldwide Corporation to go forward, denying Wyndham’s Motion to Dismiss on both the unfairness and deception counts.  In this closely watched case, the court emphasized that in denying Wyndham’s request for dismissal, it was not providing the FTC with a “blank check to

Officers and directors may breathe a temporary sigh of relief following the recent dismissal of the Home Depot data breach derivative case. Others will look to the facts for guidance.

The complaint alleging the board had breached its fiduciary duties by “knowingly and in conscious disregard” failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information was dismissed with prejudice.  The November 30, 2016 ruling by the Northern District of Georgia acknowledged that this was an “incredibly high hurdle” to surmount, signalling for at least the second time that D&O claims in derivative actions face an uphill pleading climb.
Continue Reading Officers and Directors Spared Home Depot Data Breach Derivative Lawsuit

In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or could potentially harm, consumers.
Continue Reading ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers