appellate court should decide whether the Federal Trade Commission can proceed with charges that Wyndham Hotels failed to take reasonable measures to protect consumers' data.
a case warranted ... appellate review, this is it,” Wyndham says in a petition filed late last week with the 3rd Circuit Court of Appeals.
The battle between the FTC and Wyndham stems
from three separate data breaches suffered by Wyndham between 2008 and 2010. The FTC sued the hotel chain in June 2012, charging it with unfairly failing to take reasonable security measures -- like
using firewalls and encrypting credit-card information.
Wyndham asked U.S. District Court Judge Esther Salas in New Jersey to dismiss charges that it acted unfairly. The hotel chain argued
the FTC lacks authority to charge companies with unfairness, based on their data-security practices. Wyndham also said the FTC never issued data-security regulations, which would have provided
companies with advance notice of the standards the FTC expected them to follow.
Earlier this year, Salas rejected Wyndham's arguments. She ruled that the FTC has the authority to charge
Wyndham with unfairness, regardless of whether the agency previously promulgated cybersecurity regulations.
Last month, she authorized Wyndham to attempt to appeal that ruling to the 3rd
Circuit. The company is now asking the appellate court to accept the case for review.
“Whether the FTC is authorized to regulate data security and whether the Commission has provided
fair notice of what the law requires are issues as to which there are substantial grounds for difference of opinion,” the company says. “Where the issues are as nuanced and important as
these ... review is appropriate, particularly where (as here) the legal landscape is uncharted.”
Wyndham adds that the FTC's decision to charge the company without first promulgating
data-security rules “is deeply unfair to private parties that are doing their best to comply with the law.”
Since 2011, the FTC has brought dozens of enforcement actions
charging companies with violating consumers' privacy or mishandling their data. In one recent example, last December the FTC brought charges against the developer of the Brightest Flashlight app,
which allegedly transmitted consumers' geolocation data and unique device identifiers to ad networks.
Unlike Wyndham, most of the companies settled with the FTC. For that reason, many
outside groups weighed in with Salas, including the U.S. Chamber of Commerce (which sided with Wyndham) and advocacy organization Public Citizen (which supported the FTC.)
“This is a
very important case,” says Santa Clara University law professor Eric Goldman, who has closely followed the litigation. “The FTC has self-appointed itself as the enforcement agency to
punish corporations for being the victims of criminal hacking. Based on this self-proclaimed authority, and with absolutely zero judicial oversight, the FTC has wrested dozens of settlements from
companies that suffered data security breaches.”