Appeals Court Agrees To Hear Wyndham's Challenge To FTC

A federal appeals court has agreed to decide whether the Federal Trade Commission can bring charges against companies based on their alleged failure to protect consumers' data.

The court's move comes in response to a petition filed by Wyndham Hotels, which is fighting an FTC lawsuit alleging that the hotel chain didn't use firewalls, encrypt credit card data or take other “reasonable” security measures to protect consumers' financial information. The FTC sued Wyndham after the hotel chain suffered three data breaches between 2008 and 2010.

U.S. District Court Judge Esther Salas in New Jersey ruled earlier this year that the FTC could proceed with the case. Wyndham then asked the Third Circuit Court of Appeals to hear the case. The U.S. Chamber of Commerce, American Hotel & Lodging Association and National Federation of Independent Business filed a friend-of-the-court brief backing that request.

“Whether the FTC’s enforcement authority ... extends to regulation of data security is an issue of central importance to businesses that face the prospect of being investigated by the Commission,” the groups argued. “That prospect becomes likelier every day given the increase in cyber-based attacks against businesses.”

Since 2011, the FTC has brought dozens of enforcement actions charging companies with violating consumers' privacy or mishandling their data. Most of the companies that faced charges relating to privacy or data security settled with the FTC. In one recent example, last December the FTC brought charges against the developer of the Brightest Flashlight app, which allegedly transmitted consumers' geolocation data and unique device identifiers to ad networks.

The FTC didn't oppose Wyndham's request for appellate review. The agency said in court papers that a “prompt decision” upholding its right to bring data-security cases “would advance the public interest by removing the uncertainty that Wyndham is attempting to generate regarding the Commission’s statutory authority to protect consumers from unreasonable and harmful data-security lapses.”

Earlier in the proceedings, Wyndham urged Salas to rule that the FTC lacks authority to charge companies with using poor data-security practices. The hotel chain also argued that the FTC should have issued guidance on data security before bringing suit.

Salas rejected those arguments, ruling that the FTC is authorized to charge unfairness, regardless of whether the agency previously promulgated cybersecurity regulations.
Recommend (6) Print RSS