What is the Scope of the FTC’s Authority When it Comes to Data Security? Wyndham Asks Third Circuit to Consider


shutterstock_190663154In early July, Wyndham Hotels asked the Third Circuit Court of Appeals to decide whether the Federal Trade Commission (FTC) has the authority to oversee corporate data security. Although the FTC has brought dozens of actions against businesses for insufficient data security practices, this would be the first time that the courts have been asked to consider the scope of the FTC’s regulatory powers in the data security realm. The outcome of this case will almost certainly impact the FTC’s ongoing and future data security enforcement actions, as well as litigation concerning data security and privacy.

The appeal stems from an FTC action against Wyndham in the District Court of New Jersey in which a federal judge denied Wyndham’s motions to dismiss, but certified two questions for interlocutory appeal: whether Section 5 of the FTC Act grants the FTC authority to regulate corporate data security, and, if so, what notice the FTC must give before bringing unfairness claims. The district court pointedly stated that these two issues involve “novel [and] complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The appellate court may decide to review the legal conclusions of the district court’s order denying the dismissal. Alternatively, it may deny Wyndham’s petition and hear these issues on appeal, following a grant of summary judgment or the conclusion of a trial in this case.

While the Third Circuit decides whether to hear Wyndham’s appeal, the FTC’s action against the hotel chain remains ongoing at the district court level. The FTC complaint alleges that Wyndham’s data security practices constitute unfair trade practices under Section 5 of the FTC Act because they were not “reasonable and appropriate” in safeguarding consumer data.  It further alleges that the hotel chain engaged in “deceptive” trade practices because their security measures fell short of “commercially reasonable efforts” to protect personal information, as claimed in the Wyndham online privacy policy. The allegations stem from three data breaches in 2008 and 2009 that compromised the personal information of an estimated 600,000 accounts.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:


Cozen O'Connor on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.