On August 24, 2015, the United States Court of Appeals for the Third Circuit issued its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation (“Wyndham”), affirming a district court holding that the Federal Trade Commission has the authority to regulate companies’ data security practices.
As we previously reported, the case stems from Wyndham’s challenge to the FTC’s authority to bring a 2012 suit against Wyndham, in which the FTC alleged that the company’s failure to maintain reasonable security contributed to three separate data breaches involving hackers accessing sensitive consumer data. Wyndham challenged the FTC’s authority to bring charges against private companies’ data security, arguing that by adopting targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Congress had precluded the FTC’s jurisdiction over data security. Wyndham also argued that before bringing a Section 5 enforcement action, the FTC must publish “rules, regulations, or other guidelines” setting out the acceptable security standards.
In today’s decision, the Third Circuit’s three-judge panel upheld the U.S. District Court for the District of New Jersey’s April 2014 ruling that the unfairness prong of Section 5 of the FTC Act does empower the FTC to bring lawsuits against private companies for insufficient data security practices, and that it is not required to publish rules or regulations regarding what constitutes reasonable security standards.
In a statement released by the FTC, FTC Chairwoman Edith Ramirez said, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”