FTC’s Authority to Police Data Security Practices Challenged


Hotelier Wyndham Worldwide Corp’s motion to dismiss an FTC lawsuit alleging lax data security practices is likely to have significant implications for the agency’s ability to police cybersecurity practices at American businesses.

The FTC complaint alleges that the hotel chain did not provide adequate data security, leaving customers’ payment card numbers vulnerable to hacking.  According to the FTC, the alleged security breaches, which took place over a period of two years, led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.  The FTC is asking a New Jersey federal court to require Wyndham to beef up its security practices.  It is also seeking damages and an injunction to prevent Wyndham from future conduct that would violate the Federal Trade Commission Act.

Wyndham moved to dismiss the FTC’s complaint on the grounds that it exceeds the agency’s power and that the case was brought without any FTC guidance on what security practices the business should be adopting.  Wyndham argued that Congress has not explicitly granted any Washington agency the authority to regulate corporate cybersecurity or order them to beef up their security.  The FTC, on the other hand, argues that “[t]he case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.”  Specifically, the agency said that the hotel engaged in both deceptive and unfair business practices by telling customers it used "standard industry practices" to protect their private information, when in fact its steps were not reasonable or appropriate in the agency’s eyes.

Although the FTC has brought numerous cybersecurity enforcement actions against companies on the premise that those companies engaged in unfair or deceptive practices by not taking adequate steps to protect consumers, this is the first time a federal judge will weigh in on the scope of the FTC’s powers in this area.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cohen & Gresser LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.