Mitigating the Threat of Cybersecurity Litigation in an Ambiguous Regulatory Environment
By James D. Gassenheimer Partner, Berger Singerman | December 07, 2014
Co-authored by Lara E. O'Donnell, Associate, Miami Office of Berger Singerman
The hospitality industry has become an ever increasing target for cybercrimes and accordingly, for related litigation. Although the prevailing legal standard requires hotels and other businesses to take reasonable steps to protect customers' personal information, our experience is that juries hold the hospitality industry to higher standards. Jurors relate to guests on vacation and believe they should not have to bring with them the same level of vigilance they apply to their everyday lives. With expectations heightened, how should businesses approach protecting customers' personal information from cybersecurity threats in this ambiguous regulatory environment, and what steps can be taken to mitigate exposure to cybersecurity lawsuits?
The FTC's Claims Against the Wyndham Entities
The 'reasonableness' standard, articulated recently by the New Jersey district court in the Federal Trade Commission's ("FTC") cybersecurity lawsuit against Wyndham Worldwide Corporation and related entities, remains largely undefined by courts. In FTC v. Wyndham Worldwide Corp., No. 13-1887 (ES), 2014 WL 2812049 (D.N.J. June 23, 2014) ("Wyndham II"), the court determined that the FTC's claims against various Wyndham entities adequately stated claims for unfair and deceptive trade practices under Section 5(a) of the FTC Act. Specifically, the FTC alleged that the Wyndham entities violated the Act by failing "to maintain reasonable and appropriate data security for consumers' sensitive personal information." Wyndham II, 2014 WL 2812049 at 1. In a prior related ruling, the district court similarly decided that the FTC adequately stated claims against Wyndham Hotels and Resorts, LLC. See *FTC v. Wyndham Worldwide Corp., --F. Supp. 2d--, 2014 WL 1349019 (D.N.J. April 7, 2014) ("Wyndham I")*.
The Wyndham case raises questions as to the FTC's authority to assert an unfairness claim under the FTC Act in the data-security context, whether the FTC must first issue regulations in order to provide adequate notice of such claims, and what elements are required to state a claim that the Wyndham entities failed to maintain adequate data security for customers' information. The New Jersey district court decided, as a threshold matter, that the FTC did have authority, need not issue regulations, and that the FTC's complaint adequately stated claims against the Wyndham entities.
The court further found that the Wyndham entities may be held jointly and severally liable based on a "common enterprise" theory, if the FTC proves its claims. When the structure, organization, and operation of a business venture among separate corporate entities reveal a common enterprise of interrelated companies, those companies may be held jointly and severally liable. In determining whether common enterprise liability exists, the court generally looks to factors such as common control, the sharing of office space and officers, whether business is transacted through a maze of interrelated companies, unified advertising, and evidence which otherwise reveals the entities are intertwined. The court in Wyndham II found that, as an initial matter, the FTC adequately alleged the Wyndham entities were subject to common enterprise liability.