In early July, Wyndham Hotels asked the Third Circuit Court of Appeals to decide whether the Federal Trade Commission (FTC) has the authority to oversee corporate data security. Although the FTC has brought dozens of actions against businesses for insufficient data security practices, this would be the first time that the courts have been asked to consider the scope of the FTC’s regulatory powers in the data security realm. The outcome of this case will almost certainly impact the FTC’s ongoing and future data security enforcement actions, as well as litigation concerning data security and privacy.
The appeal stems from an FTC action against Wyndham in the District Court of New Jersey in which a federal judge denied Wyndham’s motions to dismiss, but certified two questions for interlocutory appeal: whether Section 5 of the FTC Act grants the FTC authority to regulate corporate data security, and, if so, what notice the FTC must give before bringing unfairness claims. The district court pointedly stated that these two issues involve “novel [and] complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”
The appellate court may decide to review the legal conclusions of the district court’s order denying the dismissal. Alternatively, it may deny Wyndham’s petition and hear these issues on appeal, following a grant of summary judgment or the conclusion of a trial in this case.