One of the biggest US cyber liability questions is – as Congress has not passed a law on point – who is responsible for policing data breaches and enforcing the violations? (The question is of less impact in places like the EU where responsibility is clearly delineated by laws). The recent case of Federal Trade Commission v. Wyndham Worldwide Corporation sheds light on the issue.

In the case, Judge Salas, a New Jersey federal district court trial judge, was asked to rule on the legality of the Federal Trade Commission’s attempt to “be” the enforcer when it filed a 15 U.S.C. § 45(a) FTC Act claim against Wyndham Hotels and Resorts. 15 U.S.C. § 45(a) empowers the FTC to file actions against acts or practices “affecting commerce” that are “unfair” or “deceptive. The violations at issue resulted from Wyndham’s alleged failure to properly deal with unauthorized attacks on its property management systems – attacks that led to the compromise of more than 619,000 consumer payment card account numbers and the resultant sale of those numbers to Russian black market entities.

In response to the claim, Wyndham filed a Fed. R. Civ. P. 12(b)(6) motion to dismiss. It argued that 15 U.S.C. § 45(a) only empowered the FTC to regulate “unfair and deceptive acts or practices” and policing data breaches did not fall within the scope of this power. In a decision of first impression (that is certain to be appealed), Judge Salas held that 15 U.S.C. § 45(a) did, in fact, empower the FTC to police data breaches. She has thus allowed the action to go forward.

What does all of this mean for insurers and their insureds? The answer is two-fold. First, insurers must question whether the policies they write provide coverage for regulatory actions commenced by the FTC. Second, insurers and insureds need to understand that, beyond dealing with consumer claims, a FTC 15 U.S.C. § 45(a) action when a data breach occurs should be expected.

For more information about this post, please contact Bob Cosgrove at .