• Nevada

The personal information covered under the law includes personal data such as name, address, and SSN, as well as online contact information, and any other data collected by the company that could be viewed as personally identifiable. Notably, the law defines “sale” more narrowly than the CCPA to include the exchange of covered information for “monetary consideration” to a person “for the person to license or sell the covered information to additional persons.”

Operators will have 60 days to respond to a consumer’s do-not-sell request, though this timeline may be extended by up to 30 days where the operator deems it necessary and notifies the consumer. The provision will be enforced by the Nevada Attorney General’s Office, which can impose a penalty of up to $5,000 per violation.

• Maine

The bill is an attempt to restore at the state level core provisions within the FCC’s 2016 broadband order that were repealed by Congress in 2017. The Maine State Chamber of Commerce has opposed the bill, claiming that ISPs are being unfairly singled out, and arguing that the law would result in a false sense of privacy for consumers given that large web-based companies such Facebook and Google would not be subject to the law. The Governor still must sign the final legislation, which would take effect July 1, 2020.

Background

On June 26, 2012, the FTC filed a lawsuit against Wyndham. The FTC alleged that the companies engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 independently-owned Wyndham-branded hotels with which the Defendants maintained franchise agreements.

The complaint alleged that the Defendants’ failure to implement reasonable and appropriate data security safeguards at the franchisee locations allowed computer hackers to breach franchisee computer systems and the Wyndham hotel data center on three separate occasions between April 2008 and January 2010. The hackers were able to gain access to the financial account information for more than 600,000 hotel customers. The FTC’s complaint also claims that Wyndham’s privacy policy misrepresented the extent to which the company protected consumers’ personal information. The complaint sought injunctive relief to prevent future violations of the FTC Act, as well as monetary relief for the affected hotel customers.

Wyndham’s Motion to Dismiss

In April 2013, Wyndham filed a motion to dismiss, seeking to dismiss the FTC’s complaint on four grounds. First, Wyndham challenged the FTC’s authority to assert an unfairness claim in the data-security context. Second, Wyndham asserted that the FTC must formally promulgate rules or regulations before bringing an unfairness claim, and by failing to do so, the FTC is violating fair notice principles. Third, Wyndham argued that the FTC’s allegations are plead insufficiently to support either an unfairness or deception claim. Lastly, Wyndham challenged the FTC’s deception claim that Wyndham’s privacy policy misrepresented measures taken by the company to protect consumers’ personal information.

Ruling on Motion to Dismiss

On April 7, 2014, the court issued an opinion, FTC v. Wyndham Worldwide Corporation, et al., No. 13-1887 (D.N.J., Apr. 7, 2014) (Opinion), ruling on Wyndham’s motion to dismiss, finding for the FTC on all grounds.

In challenging the FTC’s authority to assert an unfairness claim in the data-security context, Wyndham argued that Congress has passed narrowly tailored data security legislation – including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act – and that the overall statutory landscape does not authorize the FTC to generally establish data security standards for the private sector under Section 5. The court disagreed, stating that the FTC’s unfairness authority over data-security can coexist with the existing data-security regulatory scheme. In addition, the court found that data-security legislation proposed by Congress and the FTC’s public representations that it lacks the authority to require entities to adopt privacy policies, do not give rise to a data-security exemption from the FTC’s unfairness authority.

Wyndham also asserted that the FTC would violate basic principles of fair notice and due process without promulgating rules, regulations, or guidelines explaining what data-security practices the Commission believes is required under Section 5. Wyndham argued that the FTC’s prior consent decrees and its business guidance provide no such guidance. The court, however, was not persuaded by these arguments. The court recognized that previous Circuit Courts of Appeal have affirmed FTC unfairness actions in a variety of contexts without preexisting rules or regulations specifically addressing the conduct-at-issue. The court was also unpersuaded that regulations are the only means of providing sufficient fair notice. The court stated that Wyndham’s “argument that consent orders do not carry the force of law…misses the mark.” Indeed, the court found that FTC’s rulings, interpretations and opinions, while not controlling upon the courts, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.

Wyndham further argued that an unfair practice must, by statute, cause consumer injury, and that injury from theft of a payment card data is never substantial and always avoidable. The court, however, found that FTC’s complaint sufficiently plead an unfairness claim under the FTC Act. Importantly, the court stated that the FTC’s allegations permit it to reasonably infer that Wyndham’s data-security practices caused theft of personal data, which ultimately caused substantial injury to consumers.

Lastly, in finding that the FTC’s deception claim was sufficiently plead, the court turned to the specific language found in Wyndham’s privacy policy. Wyndham argued that its privacy policy specifically excludes Wyndham-branded hotels from the policy’s data-security representations. The court was not convinced, noting that a reasonable customer would have understood that the policy makes statements about data-security practices for both Wyndham and Wyndham-branded hotels.

* * *

Although the court's ruling confirms that the FTC has the authority to assert an "unfair" or "deceptive" claim in the data-security context, the case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5 of the FTC Act. In the meantime, companies can help protect themselves by reviewing their information collection and security practices, carefully evaluating the type of information collected from customers or users of its websites, confirming that all data collected is transmitted and stored securely, and ensuring that all privacy and data-security representations accurately describe the practices.

The hearing is part of a comprehensive review of data security and electronic privacy initiated by the House Energy and Commerce Committee that was announced on June 1, 2011. According to the Committee press release, the first phase of the Committee’s review will focus on online data security and data theft prevention, followed later in the year by a focus on broader electronic privacy concerns.

At the hearing, Rep. Bono Mack called for a “uniform national standard” for data security and data breach notification, announcing her intent to introduce legislation. The hearing built on the growing record in Congress supporting data security and data breach notification legislation that could ultimately supersede the current patchwork of state laws. Click here to read more about the hearing.

The FTC settlements underscore:

1. that reasonably protecting employee/HR data is within the FTC's scope of enforcement under Section 5 of the FTC Act, and
2. the importance for all businesses to (a) exercise due diligence in selecting vendors that will have access to their employee/human resources data, and (b) confirm via contract and otherwise that the vendors have reasonable security measures in place (as to both the products being offered and the vendor's own business where the HR data will be maintained).

The Charges: In the two cases at issue, the HR service providers both incurred data breaches resulting in compromised employee information (e.g., employee names, addresses, social security numbers, dates of birth, direct deposit information). According to the FTC complaints:

• Ceridian (a payroll and human resource services provider) operated a web-based payroll processing service for small business customers. The FTC's allegations focused on the vendor's practice of storing the HR PII in plain text and indefinitely without a business need, remaining vulnerable to predictable SQL injection attacks, and not employing measures to detect and prevent unauthorized access to the PII. As a result, the FTC alleged the company lacked adequate network protections and mishandled its customers' employee information, resulting in a data breach that affected 28,000 employees of its small business customers.
• Lookout Services, Inc. markets a web-based compliance product for employers who need to maintain citizenship information about its employees. The FTC's allegations charged that the vendor failed to implement reasonable security safeguards, including the absence of reasonable security policies, inadequate passwords and user credentials, and an insecure web application, resulting in a data breach to the company's database that retained 37,000 social security numbers.

The Settlements: Under the settlements, Ceridian and Lookout Services must implement comprehensive information security programs that need to be independently audited every other year for 20 years. Additionally, the companies are barred from misrepresenting the privacy, confidentiality, and integrity of the personal information that they maintain in their systems. Violations of an FTC Order can subject a company to up to $16,000 per violation.