FTC v. Wyndham Hotels & Resorts, LLC, No. 14-3514 (3d Cir.).

Wyndham Worldwide Corporation’s battle with the Federal Trade Commission over the FTC’s authority to police data security practices under Section 5 of the FTC Act has caught the attention of cybersecurity experts and stakeholders nationwide. As we previously reported, the District of New Jersey found in favor of the FTC, but certified the issue of the FTC’s Section 5 authority for interlocutory appeal to the Third Circuit in June 2014. In the appeal, in addition to the parties’ briefs, six amici curiae briefs were filed, evenly split three-and-three for and against affirming the district court. 

Three amici curiae briefs filed by the Washington Legal Foundation, the Allied Educational Foundation, the Electronic Transactions Association, the U.S. Chamber of Commerce, American Hotel & Lodging Association, and National Federation of Independent Business urged reversal. The briefs argued that the FTC’s interpretation of its authority to regulate data security practices under Section 5—expressed solely in the form of consent decrees and a business guidance brochure—was not entitled to Chevron deference, in part because Congress never delegated authority to the FTC to promulgate binding legal rules regarding data security. They further argued that the FTC’s actions contravene the FTC Amendments Act of 1994 limiting the FTC’s power under Section 5 and represent an attempt by the FTC to circumvent the legislative process. The Electronic Transactions Association argued that the FTC did not have authority to regulate data security under the 1994 Act as an “unfair trade practice” because, by statute, its members bear the monetary losses incurred by fraudulent charges.

The amici siding with Wyndham also argued that the FTC’s actions were unfair to businesses—particularly small businesses—because they provided insufficient notice of what could give rise to liability, especially given the evolving nature of cybersecurity risks. They also argued that the security-related actions brought by the FTC offered little guidance to businesses because the vast majority were settled by consent decrees that expressly did not constitute admissions of any violation of the law.

Three amici curiae briefs filed by Public Citizen, Inc., the Center for Digital Democracy, Consumer ActionCenter for Democracy & Technology, the Electronic Frontier Foundationthe Electronic Privacy Information Center, and thirty-three technical and legal experts urged the Third Circuit to affirm the district court. Their briefs argued that measuring the “substantial injury” of data breaches to consumers solely in terms of fraudulent credit card charges ignores other significant harms, such as lost employment opportunities due to poor credit, the time, effort, and emotional distress of disputing identity theft, fraudulent tax refunds, and the lucrative black market for stolen credit card numbers. Citing the rise of “mega breaches” in 2013, they argued that the FTC plays a critical role in ensuring that businesses take proper precautions to protect consumer data to avoid preventable damage in the face of a growing threat. Further, the amici siding with the FTC argued that formal rulemaking regarding data security standards would become outdated too quickly to be effective, and that business interests had represented to the court that data security standards and industry best practices were more unpredictable and opaque than they actually are.

In the meantime, the district court action remains stayed pending appeal, but on November 17, 2014, the court ordered the parties to mediation. The parties have fully briefed the appeal as of December 8, 2014, and await a date for oral argument.