Today, the Federal Trade Commission is defending its authority to enforce Section 5 of the FTC Act against  Wyndham Hotels in connection with alleged lax data security procedures.  Following several publicized data security breaches, the FTC investigated Wyndham and concluded that the hotel company failed to employ “reasonable and appropriate” data security practices, citing, for example, Wyndham’s alleged failure to employ certain security patches and to maintain sufficient information security policies.  The FTC’s complaint against Wyndham alleges violations of both the “deception” and “unfairness” prongs of the FTC Act.  According to the FTC:

  • Wyndham engaged in “deceptive” practices by misrepresenting that it took “commercially reasonable efforts” to secure customers’ payment card data; and
  • Wyndham engaged in “unfair” practices because its lax security measures failed to adequately protect this payment card data.

Rather than enter into a consent order with the FTC to resolve these allegations, Wyndham is fighting the FTC’s authority to take action against the hotel company.  Today, a U.S. District Court in New Jersey will hear oral arguments relating to the motion to dismiss filed by Wyndham.  Wyndham’s motion to dismiss points to the absence of a specific delegation of authority from Congress to the FTC giving it authority to regulate data security — authority that the FTC repeatedly sought but failed to secure from Congress.    

Companies rarely litigate FTC enforcement actions, frequently resolving complaints through consent order.  Therefore, this is a rare judicial challenge to the FTC’s authority to regulate privacy and data security.  If the FTC were to lose the motion to dismiss, the FTC would have the right to appeal the decision to the Third Circuit Court of Appeals, but the loss would raise questions about the scope of the FTC’s authority as the chief U.S. regulator for privacy and data security.  Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority.  Companies that are subject to the FTC’s jurisdiction will want to follow this closely.