Wyndham asked Salas to dismiss the case, arguing that the FTC lacks authority to charge companies with unfair data security practices. The hotel chain specifically contended that the agency hadn't issued data-security regulations, which would have given companies advance notice of the standards the FTC expected them to follow.
Salas rejected Wyndham's arguments today, ruling that the FTC has the flexibility to charge Wyndham with unfairness regardless of whether the agency promulgated cybersecurity regulations. She said in the ruling accepting Wyndham's theory would lead to an “untenable consequence” -- that the FTC “would have to cease bringing all unfairness actions without first proscribing particularized prohibitions.”
At the same time, Salas wrote that her ruling doesn't “give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
Some commentators previously said that a ruling against Wyndham was likely to result in more FTC cybersecurity cases, while a ruling siding against Wyndham would have ended the FTC's ability to police poor security. The closely watched case drew friend-of-the-court briefs from a variety of groups, including the U.S. Chamber of Commerce (which sided with Wyndham) and advocacy organization Public Citizen (which supported the FTC.)