On March 3, 2015, the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. (“Wyndham”) on whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act.
As we previously reported, on June 26, 2012, the FTC announced that it had filed suit against Wyndham and three of its subsidiaries alleging that the company posted misleading representations on Wyndham websites regarding how the company safeguarded customer information. In addition, the FTC alleged that Wyndham failed to maintain reasonable data security practices, leading to three separate data breaches involving hackers accessing sensitive consumer data. In response, Wyndham challenged the FTC’s authority to bring charges against private companies’ data security, arguing that by adopting targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Congress had precluded the FTC’s jurisdiction over data security. Wyndham also argued that before bringing a Section 5 enforcement action, the FTC must publish “rules, regulations, or other guidelines” setting out the acceptable security standards.
Though Wyndham’s arguments were rejected by the U.S. District Court for the District of New Jersey, Law360 reported that the Third Circuit panel seemed receptive to Wyndham’s arguments, with Judge Thomas L. Ambro stating that the legislative history indicates that the FTC may only be authorized to bring “routine fraud cases” to the court, and the panel also spending a considerable amount of time considering Wyndham’s argument that the FTC’s failed to give sufficient notice of what constitutes “unreasonable” data security practices. According to Law360, the court also seemed unlikely to accept the FTC’s argument that deference should be given to the Eleventh Circuit’s January 2014 ruling in the FTC’s suit against LabMD, in which LabMD also challenged the FTC’s authority to bring an administrative challenge against private companies for data security practices. The Eleventh Circuit ruled that it did not have jurisdiction to evaluate the merits of the case until the FTC takes a reviewable final agency action.
The final outcome of FTC v. Wyndham has the potential to make a significant impact on the FTC’s regulation of consumer data security.