The Federal Trade Commission is not backing down. In the agency’s response to Wyndham Hotel & Resorts’ contention that the FTC has overstepped its bounds by regulating the data security practices of private companies, it didn’t hold back.
Wyndham’s arguments “rest on a tortured reading of the statute and a rejection of seventy-five years of enforcement,” the agency wrote in its motion. It further characterized the resort company’s contentions as “astonishing,” “quite dubious, if not flatly wrong,” “extraordinary,” and navigating “uncharted territory.”
The company moved to dismiss the suit, arguing the agency had overstepped its bounds and assumed statutory authority “to do that which Congress has refused: establish data security standards for the private sector and enforce those standards in federal court.”
In the latest salvo, the FTC filed its response, calling Wyndham’s motion a “baseless legal challenge.” The agency is “not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it” – an area clearly under its purview, according to the brief.
The agency even disputed Wyndham’s analogies. In its motion to dismiss, Wyndham compared itself to a local furniture store that was robbed and then re-victimized by the FTC suit. “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information,” the agency wrote. “Unlike Wyndham’s hypothetical furniture heist, Wyndham’s role in this matter was primarily as a vehicle for the victimization of consumers.”
Accepting Wyndham’s argument that the FTC lacks power to regulate data security would “carve out a data security exception to the FTC’s well-established unfairness authority,” the agency told the court. “Congress deliberately delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changing economy.” Deference should therefore be accorded to the agency’s determination as to the scope of its authority to enforce the FTC Act.
Subsequent sector-specific laws (including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act) do not limit the scope of the FTC’s authority but merely complement the agency’s powers. Accordingly, additional data security legislation that may be passed would not undermine the agency’s existing powers but would provide additional enforcement tools, the agency argued. Such legislative and executive attempts to enact data security bills would also not strip the FTC of its authority to regulate unfair practices.
The court should similarly disregard Wyndham’s line of argument that businesses lack notice about the requirements under Section 5, the FTC said. Far from operating in a “guidance vacuum,” multiple sources of industry guidance exist on the issue of data security. Companies can also look to prior FTC enforcement actions involving data security programs for direction. “Although every situation is different, the consent orders . . . provide industry, including Wyndham, with notice of different features of data security that must be evaluated in order to maintain a reasonable data security program,” the agency wrote.
To read the FTC’s response to Wyndham’s motion to dismiss in FTC v. Wyndham, click here.
Why it matters: Neither party in the must-watch case is likely to back down. Wyndham has already taken the leap to challenge the agency’s authority, and the FTC must fight or face similar challenges from other defendants. All eyes will be on the court’s forthcoming ruling on whether or not to dismiss the suit.