Earlier this week, Wyndham Hotels & Resorts LLC moved to dismiss the complaint filed against it by the Federal Trade Commission in connection with Wyndham’s data security practices, asserting that the FTC has neither the authority nor the expertise to regulate them.

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Earlier this week, Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”  

In response to the FTC’s allegations that failure to employ reasonable security measures is an “unfair” act under Section 5 of the FTC Act, Wyndham asserted that the FTC’s unfairness authority does not extend to data security.  According to the company, the fact that Congress has enacted specific laws governing data security in certain sectors — and Congress’s failed attempts to pass comprehensive data security legislation — preclude the FTC from regulating data security outside of those limited sectors.  To bolster its argument about the FTC’s lack of jurisdiction over data security, Wyndham pointed to a 2000 report in which the FTC asked Congress to enact online privacy legislation because “the Commission lacks authority to require firms to adopt information practice policies.”  Wyndham also suggested that the FTC was straying “far afield from its core competencies” by attempting to regulate data security. 

A judicial decision on the scope of Section 5’s prohibition on unfairness could have a significant effect on future FTC privacy and data security enforcement actions.  The FTC has been using its unfairness authority to reach companies’ data security practices since 2005, when it alleged that BJ’s Wholesale Club engaged in unfair acts by failing to use reasonable security measures for personal information collected in stores.  In fact, of the 37 data security enforcement actions that the FTC brought before it sued Wyndham, almost half (16) involved some element of an unfairness claim. 

Wyndham also took issue with the complaint’s deception count.  While conceding that the FTC has the authority to act against companies that make deceptive statements to customers, Wyndham argued that the statements in its online privacy policy were not deceptive because the privacy policy expressly disclaimed responsibility for the data-handling practices of independently owned, Wyndham-branded hotels — and it was the data collected by the hotels that was allegedly compromised, not Wyndham’s own data. 

Responsive and reply memoranda are due to be filed next month, and Wyndham has requested oral argument on its motion to dismiss.  We will be following developments closely.