• by Wendy Davis  @wendyndavis, October 15, 2014

The Federal Trade Commission “overreached” by suing Wyndham Hotels for allegedly using poor cybersecurity practices, the U.S. Chamber of Commerce says in new court papers.

“The FTC should not be permitted to circumvent the full legislative process by establishing rules and principles through private enforcement actions,” the Chamber of Commerce argues in a friend-of-the-court brief filed with the 3rd Circuit Court of Appeals. The American Hotel & Lodging Association and National Federation of Independent Business also joined in the filing.

The filing is the latest turn in a lawsuit filed by the FTC against Wyndham in 2012. Regulators allege that the hotel chain -- which suffered three separate data breaches between 2008 and 2010 -- engaged in an unfair business practice by failing to take reasonable security measures, such as using firewalls and encrypting credit card information.

But Wyndham argues that it is the victim in this case, and shouldn't now face charges due to the actions of fraudsters. 

Earlier this year, U.S. District Court Judge Esther Salas in New Jersey rejected Wyndham's request to dismiss the charges. Wyndham is now asking the 3rd Circuit to reverse Salas's ruling. The hotel chain says the FTC shouldn't be able to impose security requirements retroactively, especially when it has never promulgated standards for data security. 

The Chamber of Commerce and other organizations backing Wyndham say that the FTC's position in this case could place most businesses at risk of an enforcement action. “Permitting the FTC to proceed on a theory that suffering a data breach is an 'unfair' trade practice would expose most businesses in America to the potential for a government enforcement action whenever that business suffers a cyber attack or other incident that potentially compromises personal data,” the groups argue.

They add that a “post-hoc” approach to cybersecurity doesn't give businesses adequate guidance about how to “comply law in a rapidly changing technological environment.”

Since 2011, the FTC has brought dozens of enforcement actions charging companies with violating consumers' privacy or mishandling their data. Unlike Wyndham, most of the companies settled with the FTC.