An Emboldened FTC: What Does It Mean for a Company’s Cybersecurity Team?


In April, Edith Ramirez, Chairwoman of the FTC, and Julie Brill, FTC Commissioner, tweeted: “Pleased the court recognized @FTC’s authority to hold biz accountable for safeguarding consumer data & look forward to trying this case.” This tweet was celebratory, but signaled caution to companies regulated by the Federal Trade Commission (FTC).

The tweet referred to the decision of the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide Corp., which affirmed that the FTC has authority to regulate cybersecurity under Section 5 of the Federal Trade Commission Act (FTCA). The FTC had charged the hotel chain with unfair and deceptive trade practices “in connection with [Wyndham’s] failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The FTC alleged that Wyndham’s security failures allowed hackers to access its Phoenix, Arizona data center in three data breaches in 2008 and 2009, during which consumers’ accounts were exposed, more than $10.6 million in fraud loss was incurred, and consumers’ payment card account information was exported to a Russian-registered domain. The FTC claimed certain statements on Wyndham’s website and privacy policies were deceptive, including the hotel chain’s assertion: “We safeguard our Customers’ personally identifiable information by using industry standard practices. Although ‘guaranteed security’ does not exist either on or off the Internet, we take commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”

Wyndham responded to the enforcement action with an aggressive motion to dismiss, asserting that the FTC did not have the power to regulate corporate data security practices. But the court favored a broad reading of the FTC’s power, noting Congress vested the commission with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” In early July, Wyndham asked the Third Circuit Court of Appeals to hear two interlocutory questions: (1) whether Section 5 of the FTCA grants the FTC authority to regulate corporate data security, and, (2) if so, what notice the FTC must give before bringing unfairness claims.

The Wyndham case undoubtedly will embolden the FTC in its enforcement efforts against businesses that collect or use consumer information, including those in the healthcare, hospitality, and mobile applications industries. Therefore, organizations should review not only their data and cybersecurity protocols but also their data protection policies—and do so under the protection of the attorney-client privilege. Although the FTC does not publish the rules and regulations determined through confidential settlements with FTC-regulated companies—a main component of Wyndham’s argument regarding the lack of notice for compliance purposes—the FTC has published public statements and maintains it provides guidance through its enforcement actions on data breaches. Corporate legal departments should evaluate these FTC rulings and statements and compare their company’s cybersecurity practices against them to ensure they are using “commercially reasonable” measures.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Conduent | Attorney Advertising

Written by:


Conduent on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.