On April 7, a federal judge denied the motion of Wyndham Hotels & Resorts, LLC (“Wyndham”) to dismiss a complaint brought by the Federal Trade Commission (“FTC”) for unfair or deceptive acts or practices based on alleged breaches of the property management system used by Wyndham and its franchisees. This was the first time a business has challenged the FTC’s enforcement authority in this area. The ruling affirms the FTC’S authority and allows the agency to move forward with a consideration of potential liability. We previously reported on this case in a Privacy Alert dated December 17, 2013.
The FTC action alleged that franchisor entity Wyndham Hotels & Resorts, along with its affiliates and franchisees, engaged in deceptive practices by misrepresenting that they used “industry standard practices” and “commercially reasonable efforts” to secure the data they collected from their guests, and in “unfair” practices by failing to protect customer data.
Wyndham moved to dismiss the complaint on the grounds that the FTC does not have the authority to assert an unfairness claim in the data security context, that the FTC must promulgate regulations before bringing an unfairness claim, and that the FTC did not sufficiently plead allegations to support its unfairness or deception claim, in part because the hotels operated by franchisees are separate entities for which Wyndham is not legally responsible. The court disagreed with each of Wyndham’s arguments.
Of particular interest to franchisors is the rejection of Wyndham’s contention that “as a matter of law, it [Wyndham] is necessarily a separate entity from Wyndham-branded hotels,” such that each maintain their own computer networks and engage in separate data collection practices. The court noted that the FTC alleged that Wyndham failed to provide reasonable security for the personal information collected by it and its franchisees, and determined that the allegation was sufficient to withstand a motion to dismiss.
The court made clear that its opinion is not a determination on liability, and that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead the Court denies a motion to dismiss given the allegations in this complaint.” However, the opinion clearly supports further enforcement actions by the FTC in the data privacy and security areas. It also illustrates the difficulty franchisors may have in separating their liability for data security snafus from that of their franchisees, particularly when the franchisor exercises some control, and the franchisor and franchisees share a network or are otherwise susceptible to breaches of each other’s systems. In addition, this case serves as a reminder that businesses should carefully consider what they state in their website privacy policies relative to data security.
We will continue to monitor this case as it proceeds.