Can the FTC Regulate Data Security Practices? Third Circuit Hears Wyndham Hotels Appeal

FTC v Wyndham Hotel ResortsIt is still unclear if the FTC has the authority to regulate companies’ data security practices. In 2012, the FTC brought charges against Wyndham Hotels and Resorts for negligent data security standards after a series of three data breaches at the hotel chain in 2008 and 2009 compromised 619,000 customer accounts. The FTC alleged in its complaint that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury. The FTC charged that the security practices were unfair and deceptive and violated the FTC Act.

Wyndham responded to the FTC’s lawsuit by filing a motion to dismiss, claiming that the FTC did not have authority under Section 5 of the FTC Act to regulate Wyndham’s data security practices. However, a New Jersey federal district court disagreed. In denying the motion, the court was careful to limit the holding to the motion to dismiss in this specific case. The court rejected Wyndham’s use of FDA v. Brown & Williamson Tobacco Corp. and distinguished the case based on the fact that Wyndham failed to explain how the FTC’s action would be inconsistent with recent legislation to the point of plainly contradicting congressional policy, as was the case in Brown & Williamson. The court found that the opposite seemed to be true; that subsequent legislation seemed to complement rather than preclude the FTC’s authority. The court also did not buy into the argument that the FTC’s representations seemingly disclaiming its authority precluded the FTC’s actions.

Following the district court’s denial of the motion, Wyndham lodged an interlocutory appeal challenging the district court’s ruling. The FTC responded, standing by its arguments that the agency was well within its powers in bringing action against Wyndham. Following briefing, the Third Circuit held oral argument on Wyndham’s appeal. The Third Circuit asked counsel for both sides to discuss: 1) whether the FTC had declared that unreasonable cybersecurity practices are “unfair,” 15 U.S.C.  § 45(a), through the procedures provided in the FTC Act, 15 U.S.C. §§ 41-58; and 2) whether, assuming the FTC has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b). The Third circuit has yet to issue its opinion.

This case raises crucial questions about data security practices regulation, and the implications of the Third Circuit’s opinion could be far-reaching if they uphold the FTC’s authority to regulate such practices. To date, the FTC has brought suit against some 55 companies for maintaining “unreasonable” cybersecurity practices. Yet the commission has never formally defined what constitutes “reasonable” security, and it is unlikely the FTC will do so anytime soon. FTC Commissioner Julie Brill suggested that her agency would not define a comprehensive standard until the Wyndham case is resolved. In the meantime, companies must piece together a definition of reasonableness from a collection of guidance, tips and blog posts on the FTC’s website.

If the FTC ever does issue a formal standard, companies like Wyndham shouldn’t expect a list of controls that companies should implement. Such specific guidance is apt to become obsolete as soon as it is issued. Rather, Commissioner Brill indicated that the FTC is more concerned that companies take a holistic approach to managing cyber risks—in other words, it is better to have the right risk management framework than the right security widget. For now, companies like Wyndham can only wait and wonder what the Third Circuit will rule.

Wyndham’s Website