The United States Court of Appeals for the Third Circuit has affirmed a district court decision that the Federal Trade Commission (FTC) has the authority to regulate companies' data security practices in its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation.
The U.S. District Court for the District of New Jersey had initially allowed the FTC to proceed with its case against Wyndham, it had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act.
In 2012, the FTC filed suit against Wyndham, alleging that the company's lack of reasonable security was a factor in three separate data breaches by hackers accessing sensitive consumer data. Wyndham was also charged with making misleading representations on its website regarding how it safeguarded customer information.
Wyndham argued that by passing targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act 1996, Congress had precluded the FTC's jurisdiction over private companies' data security. It also argued that the FTC must publish "rules, regulations or other guidelines" setting out the acceptable security standards.
The Third Circuit's three judge panel disagreed, upholding the decision of the District Court. The Third Circuit ruled that the unfairness part of Section 5 of the FTC Act empowers the FTC to bring lawsuits against private companies for insufficient data security practices and further, it is not required to public rules or regulations which set out acceptable security standards.