Federal Trade Commission Can Pursue Claims Against Company for Failure to Have Adequate Data Security, Court Rules

In a decision that is likely to result in increased federal enforcement actions against companies that suffer data security breaches but are found not to have taken sufficient steps to protect the data, a federal court on April 7, 2014, upheld the authority of the Federal Trade Commission (“FTC”) to require “reasonable” data-security measures and to pursue a complaint against companies that fail to do so when there is resulting substantial harm to consumers from a breach. See FTC v. Wyndham Worldwide Corp., --- F. Supp. 2d ---, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The decision is notable as the first federal court opinion addressing a breached entity’s challenge to the FTC’s assertion of broad authority under Section 5 of the FTC Act, which generally prohibits “unfair” or “deceptive” business practices, to enforce data-security standards across most industrial sectors that collect, use, or maintain consumers’ personal information.