Could the high-profile dispute over the scope of the Federal Trade Commission’s data security authority be settled in mediation?
Just days after the Commission filed its response to Wyndham Hotel’s motion to dismiss the charges against it – with amicus briefs filed in support of both parties – the presiding judge ordered the parties to begin mediation.
The case began innocuously enough, with the FTC alleging that the hotel chain violated Section 5 of the Federal Trade Commission Act by misrepresenting the strength of its data security protection after suffering three cyberattacks between 2008 and 2010.
But unlike the more than 50 other companies facing similar charges from the agency, Wyndham fired back with a direct challenge to the FTC’s authority to make an unfair practices claim in the data security context. The company also contended that the agency violated fair notice principles by not first promulgating regulations before bringing a Section 5 charge.
In an opinion that recognized the “rapidly evolving” digital age, U.S. District Court Judge Esther Salas declined “to carve out a data security exception” to the FTC’s authority. Wyndham appealed to the Third U.S. Circuit Court of Appeals, which agreed to hear the case in August.
Continuing the battle, the hotel chain filed a motion to dismiss the suit. Wyndham contended that it did nothing and maintained that the agency seeks to hold them responsible for security breaches even though the agency has not established data security standards. “The Commission has simply anointed itself a roving cybersecurity prosecutor – but, unlike other prosecutors, one that seeks to define the offense and to do so after the fact,” Wyndham wrote in its brief.
Groups such as the U.S. Chamber of Commerce, the National Federation of Independent Business, the Electronic Transactions Association, and the Washington Legal Foundation backed the company in amicus briefs.
The FTC filed its response in which it reiterated the same lapses in security measures that, in its view, constituted an unfair practice. Consumer groups such as the Center for Digital Democracy, the Electronic Frontier Foundation, and Public Citizen have supported the agency’s position.
According to the agency, “Wyndham left customer data unprotected by firewalls; did not encrypt credit card information; used outdated software that could not receive security updates; used widely known default passwords and easily guessed passwords instead of complex passwords . . . and failed to employ reasonable measures for detecting and preventing intrusions.”
But while the federal appellate panel considers the arguments, the parties will be spending a little more time together. Citing the need to conserve judicial resources, Judge Salas ordered mediation for Wyndham and the FTC. He stayed formal discovery and ordered the parties to evenly split the meditation costs.
To read the court’s order in FTC v. Wyndham Worldwide Corp., click here.
Why it matters: Could the closely watched, heated battle between the FTC and Wyndham fizzle out in mediation? If the parties reach a deal, the question of the agency’s regulatory authority in the data security realm could go unanswered, a result that would frustrate many businesses hoping for guidance on the issue.