Data security is big news. And so is the Federal Trade Commission (“FTC”). Put the two together in a crucible of litigation, and it is sure to be a blockbuster. That is what the closely-watched case FTC v. Wyndham, now pending before the Third Circuit Court of Appeals, is shaping up to be.
The case, in which oral arguments were heard earlier this month, has its beginnings in 2012 when the FTC filed a complaint against Wyndham hotel companies (“Wyndham”) alleging a failure to maintain reasonable data security. Section 5 of the Federal Trade Commission Act endows the FTC with authority to police “unfair or deceptive acts or practices in or affecting commerce.” Specifically, the FTC alleged that Wyndham’s data security failures resulted in three instances of unauthorized access to Wyndham’s computer network containing sensitive consumer information. The FTC has been active in the data security arena for a number of years now, but Wyndham was the first to challenge its authority.
Wyndham moved to dismiss the complaint arguing that, among other things, the FTC lacked authority to assert an unfairness claim in the data-security context. Wyndham argued the FTC’s enforcement action amounted to the electronic equivalent of punishing a brick-and-mortar store for being robbed. But, the District of New Jersey disagreed, finding nothing precluded the FTC’s Section 5 authority to enforce data security.
Wyndham’s request for an immediate appeal of the ruling was granted – it argued that the issue of whether the FTC’s authority extends to regulation of data security is centrally important to businesses, particularly given the steady increase in cyberattacks.
In its appellate brief, Wyndham argued the FTC was overreaching its authority and failed to provide fair notice of what reasonable cybersecurity practices might be. The FTC responded that its Section 5 authority was purposely drafted in open-ended terms so that the FTC could accommodate evolving threats to consumers. It also argued its own prior complaints, consent orders, and publications gave Wyndham fair notice of its obligations to protect consumer data.
A decision from the Third Circuit would only be binding in Pennsylvania, New Jersey, and Delaware, but the case is being watched nation-wide as it promises to be the first appellate-level guidance on the FTC’s authority in the data security context. The varying interests in the case are reflected in the multiple amicus briefs filed with the court, including from the U.S. Chamber of Commerce, the Electronic Transactions Association, the Center for Digital Democracy, the Electronic Frontier Foundation, and the Electronic Privacy Information Center.
After the arguments, the Third Circuit requested supplemental briefing from both parties. Watch this blog for further developments in this case.