By Andrew Cohen
Continually pushing companies to safeguard their customer information, the Samuelson Law, Technology & Public Policy Clinic has filed an amicus brief in a high-profile case before the U.S. Third Circuit Court of Appeals.
Brought by the Federal Trade Commission (FTC) against global hospitality company Wyndham Worldwide Corp., the case focuses on data protection failures that led to three security breaches at Wyndham hotels in less than two years. The complaint says Wyndham’s privacy policy misrepresented the measures the company took—resulting in hundreds of thousands of credit card numbers being stolen and millions of dollars in fraudulent charges, among other harms.
“Everyone today who uses a credit card or the Internet understands that data security is of increasing concern,” said Catherine Crump, the Samuelson Clinic’s associate director. “If you buy something from a website, you don’t have a real way to know if that company is treating your credit card information with the security it deserves.”
Representing the Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology—both leading digital rights organizations—the Samuelson Clinic argued that Wyndham’s security practices were unfair and deceptive in violation of the FTC Act. The case probes the scope of FTC authority, with Wyndham questioning whether the agency can regulate data security at all.
In April 2014, a New Jersey federal judge ruled in favor of the agency regarding its ability to regulate data security under the FTC Act’s unfairness prong. Because the ruling involved a novel question of law, however, the judge allowed Wyndham to appeal to the Third Circuit.
“If the court accepts Wyndham’s argument that due process is violated if the FTC regulates based on the authority to prevent unfair trade practices, then a broad range of other federal consumer protection statutes will also be susceptible to constitutional challenges,” Crump said. “Also, 10 states have passed data security statutes since 2006—all premised on the same concepts that companies must take reasonable steps to protect consumer data.”
More information about the brief is available here.
Students step up
Berkeley Law students Jonathan Francis ’15, Madeline Mai ’15, and Kelly Vargas ’16 collaborated to draft the brief. They were supervised by Crump and Samuelson Clinic Senior Staff Attorney Chris Hoofnagle.
Vargas ’16,
Madeline Mai ’15, and Jonathan Francis ’15
“The students were great,” said EFF senior staff attorney and Berkeley Law graduate Lee Tien ’87. “They were very professional, delivered high-quality writing, and brought a thoughtful approach to the legal and tactical aspects of the project. Of course, that’s in no small part due to Professor Crump, a superb lawyer and clearly also a fine teacher and mentor.”
Briefing is ongoing and the Third Circuit is expected to hear arguments in 2015. From the students’ perspective, the case serves as a hearing on the FTC’s entire purpose.
“Wyndham provides no principled reason why the FTC’s authority to bring enforcement actions against unfair practices should contain a ‘carve-out’ for data security practices,” Mai said. “It’s an important case to work on because data security breaches are increasing at a rapid clip. Those entities holding consumer financial data should treat that information sensitively, and be held accountable when they don’t.”
Vargas, who drafted the brief’s sections on state data security statutes and federal bankruptcy law, became so interested in the FTC’s mission that she is now pursuing an externship with the agency. “Its power to bring enforcement actions in the data security context is being threatened,” she said. “In light of the growing number of data security breaches, the need for the FTC’s regulation of these practices is paramount.”
The students immersed themselves in aspects of administrative law, consumer law, and due process while gaining valuable legal research and writing experience. They also hailed the benefits of collaboration and frequent client interaction.
“Working directly for public-interest clients was a valuable experience and a great opportunity,” Francis said. “The FTC’s flexible authority is essential to effectively protect consumers in an increasingly networked world. Congress and states have recognized this fact in broad areas of consumer protection, and disrupting this regulatory scheme would be harmful to consumers.”