As a privacy litigator, I could not help but observe an apparent contradiction in the way the Third Circuit allowed the FTC to pursue Wyndham Hotels for cybersecurity breaches under the FTC Act, but Judge Berman (SDNY) rejected the NFL’s authority to impose a 4-game suspension on New England Patriots’ quarterback Tom Brady for breaching professional football’s competitive integrity policy.  In both cases notice of the FTC’s and NFL’s policy for exacting punishment was demonstrably lacking. But the outcomes were not the same.

On August 24, the Third Circuit found that the FTC could punish Wyndham for cybersecurity breachesbecause Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are actually required by law.  Judge Berman, on the other hand, some 10 days later, vacated Tom Brady’s 4-game arbitral suspension because “Brady had no [ ] notice” that someone who was aware of or allegedly schemed to deflate footballs (and not cooperate in the ensuing investigation) would be punished like users of performance enhancing drugs by the NFL. True, the Federal Trade Commission Act, NFL Policy, and the Federal Arbitration Act point in different directions. But Wyndham and Brady were subject to punishment by the FTC and NFL for violating federal law or league “policy.” Brady’s punishment was vacated because, among other things, there was no notice of a four-game suspension in the circumstances presented there.  Maybe the end result will be that Brady can be punished, but perhaps only by a fine and not a suspension. And we have yet to see how Wyndham will be punished and whether that punishment will be upheld.

Tom Brady can start tonight’s game against the Steelers. Wyndham’s fate remains uncertain.