Earlier today, in a long-awaited decision, Judge Salas of the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss a Federal Trade Commission (“FTC”) lawsuit alleging Wyndham violated Section 5 of the FTC Act by failing to provide “reasonable” security for the personal information of its customers. The case has been closely watched because Wyndham’s central argument is that the FTC’s authority under Section 5 to prohibit “unfair” practices does not allow the Commission to pursue companies for data security failures. Although the FTC has settled a number of complaints that have relied on this broad interpretation of its unfairness authority, this is the first time a court has had the opportunity to weigh in on the scope of that authority in the privacy and data security context. In a 42-page opinion, Judge Salas rejected each of Wyndham’s challenges to the FTC’s Section 5 authority and to the sufficiency of the complaint in this case.
Although today’s decision will rightly be hailed as a landmark, it is important to recognize that the case still is in the early stages, and that Wyndham will likely have several more opportunities to make its arguments—including to the Court of Appeals for the Third Circuit, which could see things differently than Judge Salas. But for today anyway, the FTC’s unfairness authority has survived unscathed.