Today, the Federal Trade Commission is defending its authority to enforce Section 5 of the FTC Act against  Wyndham Hotels in connection with alleged lax data security procedures.  Following several publicized data security breaches, the FTC investigated Wyndham and concluded that the hotel company failed to employ “reasonable and appropriate” data security practices, citing, for example, Wyndham’s alleged failure to employ certain security patches and to maintain sufficient information security policies.  The FTC’s complaint against Wyndham alleges violations of both the “deception” and “unfairness” prongs of the FTC Act.  According to the FTC:

  • Wyndham engaged in “deceptive” practices by misrepresenting that it took “commercially reasonable efforts” to secure customers’ payment card data; and
  • Wyndham engaged in “unfair” practices because its lax security measures failed to adequately protect this payment card data.

Rather than enter into a consent order with the FTC to resolve these allegations, Wyndham is fighting the FTC’s authority to take action against the hotel company.  Today, a U.S. District Court in New Jersey will hear oral arguments relating to the motion to dismiss filed by Wyndham.  Wyndham’s motion to dismiss points to the absence of a specific delegation of authority from Congress to the FTC giving it authority to regulate data security — authority that the FTC repeatedly sought but failed to secure from Congress.    

Companies rarely litigate FTC enforcement actions, frequently resolving complaints through consent order.  Therefore, this is a rare judicial challenge to the FTC’s authority to regulate privacy and data security.  If the FTC were to lose the motion to dismiss, the FTC would have the right to appeal the decision to the Third Circuit Court of Appeals, but the loss would raise questions about the scope of the FTC’s authority as the chief U.S. regulator for privacy and data security.  Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority.  Companies that are subject to the FTC’s jurisdiction will want to follow this closely.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.