In early July, Wyndham Hotels asked the Third Circuit Court of Appeals to decide whether the Federal Trade Commission (FTC) has the authority to oversee corporate data security. Although the FTC has brought dozens of actions against businesses for insufficient data security practices, this would be the first time that the courts have been asked to consider the scope of the FTC’s regulatory powers in the data security realm. The outcome of this case will almost certainly impact the FTC’s ongoing and future data security enforcement actions, as well as litigation concerning data security and privacy.
The appeal stems from an FTC action against Wyndham in the District Court of New Jersey in which a federal judge denied Wyndham’s motions to dismiss, but certified two questions for interlocutory appeal: whether Section 5 of the FTC Act grants the FTC authority to regulate corporate data security, and, if so, what notice the FTC must give before bringing unfairness claims. The district court pointedly stated that these two issues involve “novel [and] complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”
The appellate court may decide to review the legal conclusions of the district court’s order denying the dismissal. Alternatively, it may deny Wyndham’s petition and hear these issues on appeal, following a grant of summary judgment or the conclusion of a trial in this case.
While the Third Circuit decides whether to hear Wyndham’s appeal, the FTC’s action against the hotel chain remains ongoing at the district court level. The FTC complaint alleges that Wyndham’s data security practices constitute unfair trade practices under Section 5 of the FTC Act because they were not “reasonable and appropriate” in safeguarding consumer data. It further alleges that the hotel chain engaged in “deceptive” trade practices because their security measures fell short of “commercially reasonable efforts” to protect personal information, as claimed in the Wyndham online privacy policy. The allegations stem from three data breaches in 2008 and 2009 that compromised the personal information of an estimated 600,000 accounts.