A federal appellate court could soon decide whether the Federal Trade Commission can proceed with a lawsuit accusing Wyndham Hotels for failing to deploy adequate data-security measures.
On Monday, U.S. District Court Judge Esther Salas in New Jersey authorized an immediate appeal of an earlier ruling, which allowed the FTC to charge Wyndham with unfairly managing consumers' data. She said in her ruling that the “novelty of liability issues relating to data-security breaches” justified an immediate appeal.
Wyndham asked Salas to dismiss the case, arguing that the FTC lacks authority to charge companies with acting unfairly based on their data-security practices. The hotel chain specifically contended that the FTC never issued data-security regulations, which would have provided companies with advance notice of the standards the FTC expected them to follow.
Arguments in the closely watched case drew friend-of-the-court briefs from a variety of groups, including the U.S. Chamber of Commerce (which sided with Wyndham) and advocacy organization Public Citizen (which supported the FTC.)
Salas ruled in favor of the FTC in April, deciding it has the flexibility to charge Wyndham with unfairness, regardless of whether the agency previously promulgated cybersecurity regulations. At the time, Salas attempted to limit her ruling's impact, writing that her decision doesn't “give the FTC a blank check to sustain a lawsuit against every business that has been hacked."
Industry observers are closely watching the case, with some saying that a pro-Wyndham decision could force the FTC to revise its approach to consumer privacy. “What's at stake is whether or not the FTC is the appropriate regulatory body to monitor privacy and data security in the U.S, and whether they have authority to do it,” says attorney Gregory Boyd, a partner in Frankfurt Kurnit Klein & Selz.
Since 2011, the FTC has brought dozens of enforcement actions charging companies with violating consumer privacy rights. In a recent example, last December the FTC unveiled a complaint against the developer of the Brightest Flashlight app, which allegedly transmitted consumers' geolocation data and unique device identifiers to ad networks.
Unlike Wyndham, most of the companies accused of privacy violations, including the Brightest Flashlight developer, settled with the FTC. “Wyndham is one of the first companies with the money and the legitimacy to question whether or not it's appropriate for the FTC to have that jurisdiction,” Boyd says.
The 3rd Circuit hasn't yet said whether it will hear an immediate appeal of the case.