In an ongoing battle in the District Court of New Jersey, Wyndham Worldwide Corporation (Wyndham) is attempting to fight back against the Federal Trade Commission’s (FTC) authority to hold them liable for their data security failures. The FTC initially filed a complaint against Wyndham in June 2012 in a District Court in Arizona. The case was later transferred to New Jersey. Now, the company has filed a motion to dismiss based on its view that the FTC is overstepping its bounds in filing the complaint.

As background, the FTC’s complaint alleged that Wyndham breached its promises that it made to consumers in its privacy policy. Specifically, Wyndham’s online policy on its Wyndham Hotels and Resorts subsidiary’s website claimed that the company “recognize[d] the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to [their] central reservation centers, visitors to [their] Web sites, and members participating in [their] Loyalty Program.” Despite claiming to protect consumer’s personal information, the FTC claims that the company failed to take appropriate precautions to protect such information. According to the FTC, appropriate precautions would include complex user IDs and passwords, restricted third-party vendor access, as well as firewalls and network segmentation between the hotels and the corporate network. Additionally, the FTC claims that the defendant permitted improper software configurations that resulted in the storage of unencrypted payment card information. As a result of these alleged errors, between 2008 and 2010, Wyndham was the subject of three breaches that resulted in hundreds of thousands of consumer payment card data being transferred to a domain registered in Russia and more than $10 million in fraud losses.

Now, based on the FTC’s allegations, Wyndham argues that the FTC is overstepping its Section 5 authority by attempting to (a) punish the company for the breaches and (b) set data security standards. Wyndham’s arguments were supported by a brief submitted by the National Chamber Litigation Center, a separately funded affiliate of the US Chamber of Commerce, which has previously argued that the FTC is attempting to act outside of the legislative process and that this raises due process concerns. Despite these arguments, the FTC is maintaining its position, stating that its Section 5 authority was specifically created to empower it to address “unanticipated practices in a changing economy.”