FTC’s Authority to Police Data Security Practices Challenged


Hotelier Wyndham Worldwide Corp’s motion to dismiss an FTC lawsuit alleging lax data security practices is likely to have significant implications for the agency’s ability to police cybersecurity practices at American businesses.

The FTC complaint alleges that the hotel chain did not provide adequate data security, leaving customers’ payment card numbers vulnerable to hacking.  According to the FTC, the alleged security breaches, which took place over a period of two years, led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.  The FTC is asking a New Jersey federal court to require Wyndham to beef up its security practices.  It is also seeking damages and an injunction to prevent Wyndham from future conduct that would violate the Federal Trade Commission Act.

Wyndham moved to dismiss the FTC’s complaint on the grounds that it exceeds the agency’s power and that the case was brought without any FTC guidance on what security practices the business should be adopting.  Wyndham argued that Congress has not explicitly granted any Washington agency the authority to regulate corporate cybersecurity or order them to beef up their security.  The FTC, on the other hand, argues that “[t]he case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.”  Specifically, the agency said that the hotel engaged in both deceptive and unfair business practices by telling customers it used "standard industry practices" to protect their private information, when in fact its steps were not reasonable or appropriate in the agency’s eyes.

Although the FTC has brought numerous cybersecurity enforcement actions against companies on the premise that those companies engaged in unfair or deceptive practices by not taking adequate steps to protect consumers, this is the first time a federal judge will weigh in on the scope of the FTC’s powers in this area.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cohen & Gresser LLP | Attorney Advertising

Written by:


Cohen & Gresser LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.