On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.
The FTC first filed suit against Wyndham in June 2012, alleging that Wyndham’s failure to maintain reasonable security contributed to three separate data breaches involving hackers accessing sensitive consumer data. The complaint charged Wyndham with violating the FTC Act by posting misleading representations on the company’s websites regarding how the company safeguarded customer information, and by failing to take reasonable security measures to protect the personal information it collected. Previous enforcement actions by the FTC have typically been settled by consent order; this case is one of the first challenges to the FTC’s authority to regulate data security.