The Third U.S. Circuit Court of Appeals breathed new life into Wyndham Hotels’ challenge to the Federal Trade Commission’s authority to regulate data security practices.
Wyndham fired back with a direct challenge to the FTC’s authority to assert an unfairness claim in the data security context. The company also contended that the agency violated fair notice principles by not first promulgating regulations before bringing such a claim.
In an opinion recognizing the “rapidly evolving” digital age, U.S. District Court Judge Esther Salas refused “to carve out a data security exception” to the agency’s authority.
Wyndham appealed to the Third Circuit. The case presents “two hotly contested and critically important issues of law regarding federal administrative authority over a new and burgeoning field,” the defendant wrote in its request for the court to certify its order for interlocutory appeal.
The FTC has filed or settled over 50 data security enforcement actions to date and an appellate decision on the issues of the Commission’s authority and whether it needs to provide additional notice about what the law requires to simplify pending and future enforcement efforts and provide guidance to businesses trying to puzzle their way through the issue, Wyndham said.
The business community agreed, with the U.S. Chamber of Commerce filing an amicus brief in support of Wyndham (joined by the American Hotel & Lodging Association and the National Federation of Independent Business). “Whether the FTC’s enforcement authority under Section 5 of the FTC Act . . . extends to regulation of data security is an issue of central importance to businesses that face the prospect of being investigated by the Commission,” the groups wrote. “That prospect becomes likelier every day given the increase in cyber-based attacks against businesses many of which, experts agree, are likely to succeed notwithstanding significant efforts on the part of those businesses.”
An appellate decision “would provide much needed clarity” for the business community, the Chamber told the court, particularly as companies “currently struggle to decipher coherent standards from the FTC’s dozens of consent orders and previous pronouncements on data security, and to accommodate those dictates with other security regulations and risk management protocols. With the greater certainty that an appellate decision would provide, businesses would be able to better allocate their scarce resources toward compliance with the complex regulatory regime governing data security.”
The agency did not oppose Wyndham’s motion, stating in its brief that federal appellate review “would advance the public interest by removing the uncertainty that Wyndham is attempting to generate regarding the Commission’s statutory authority to protect consumers from unreasonable and harmful data security lapses.”
After Judge Salas certified her order for appeal, the Third Circuit agreed to hear the case.
To read Wyndham’s motion to certify the order for interlocutory appeal, click here.
To read the U.S. Chamber of Commerce’s amicus brief, click here.
Why it matters: The battle continues. Backed by the business industry, Wyndham now has a second chance to convince a court that the FTC lacks the authority to regulate data security practices and/or that the agency must proactively promulgate guidance before taking enforcement actions. We will continue to watch the case throughout the appellate process.