What is the Scope of the FTC’s Authority When it Comes to Data Security? Wyndham Asks Third Circuit to Consider

more+
less-

shutterstock_190663154In early July, Wyndham Hotels asked the Third Circuit Court of Appeals to decide whether the Federal Trade Commission (FTC) has the authority to oversee corporate data security. Although the FTC has brought dozens of actions against businesses for insufficient data security practices, this would be the first time that the courts have been asked to consider the scope of the FTC’s regulatory powers in the data security realm. The outcome of this case will almost certainly impact the FTC’s ongoing and future data security enforcement actions, as well as litigation concerning data security and privacy.

The appeal stems from an FTC action against Wyndham in the District Court of New Jersey in which a federal judge denied Wyndham’s motions to dismiss, but certified two questions for interlocutory appeal: whether Section 5 of the FTC Act grants the FTC authority to regulate corporate data security, and, if so, what notice the FTC must give before bringing unfairness claims. The district court pointedly stated that these two issues involve “novel [and] complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The appellate court may decide to review the legal conclusions of the district court’s order denying the dismissal. Alternatively, it may deny Wyndham’s petition and hear these issues on appeal, following a grant of summary judgment or the conclusion of a trial in this case.

While the Third Circuit decides whether to hear Wyndham’s appeal, the FTC’s action against the hotel chain remains ongoing at the district court level. The FTC complaint alleges that Wyndham’s data security practices constitute unfair trade practices under Section 5 of the FTC Act because they were not “reasonable and appropriate” in safeguarding consumer data.  It further alleges that the hotel chain engaged in “deceptive” trade practices because their security measures fell short of “commercially reasonable efforts” to protect personal information, as claimed in the Wyndham online privacy policy. The allegations stem from three data breaches in 2008 and 2009 that compromised the personal information of an estimated 600,000 accounts.

Topics:  Administrative Authority, Cybersecurity, Data Protection, FTC, FTC v Wyndham, Unfair or Deceptive Trade Practices, Wyndham

Published In: Antitrust & Trade Regulation Updates, Civil Procedure Updates, Consumer Protection Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »