Third Circuit affirms FTC’s jurisdiction over security practices in Wyndham case

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In a strongly worded opinion, the Third Circuit Court of Appeals on Monday slammed Wyndham Worldwide Corporation’s arguments that the FTC did not have jurisdiction to enforce the security practices of businesses following a data breach. The Court noted that it found most of Wyndham’s arguments “unpersuasive.” This is the first Circuit Court of Appeals case to opine on the FTC’s jurisdiction in data security matters.

Wyndham was the first company to challenge the FTC’s jurisdiction after it suffered a series of breaches between 2008 and 2010. LabMD took up the gauntlet thereafter and continues its battle against the FTC. The crux of the argument was that Wyndham was a victim of crime, and the FTC did not publish any regulations or guidance on data security in order for the companies to understand that the FTC could regulate their security practices and bring enforcement actions against them for lax security practices. The FTC has strongly disputed the allegations and has expanded its enforcement role over the security practices of companies following data breaches under Section 5 of the FTC Act, arguing that if a company tells consumers in its Privacy Policy that it will keep customers’ data secure, and then it doesn’t, such is an unfair or deceptive business practice that subjects it to FTC enforcement. The Court rebuffed Wyndham’s citing of a dictionary that its practice is only unfair if it is “not equitable” or is “marked by injustice, partiality, or deception” by stating “[A] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes unsuspecting customers to substantial financial injury, and retains the profits of their business.”

After the Court issued its opinion, FTC Chairwoman Edith Ramirez stated in a press release that the decision

reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide