Here’s an interesting piece from Computerworld about a proceeding in a New Jersey federal court where the Federal Trade Commission finds itself on unfamiliar turf – that being defense. The case is a lawsuit filed by the FTC against the Wyndham Hotel chain alleging that breaches in Wyndham’s customer data files constitutes an “unfair and deceptive” practice, under Section 5 of the FTC Act.
Some trade groups – including the U.S. Chamber of Commerce and the American Hotel and Lodging Association – have filed amicus briefs asking the court to dismiss the FTC action. The trade groups question if the FTC isn’t being a little deceptive by using the kind of vague Section 5 provisions to go after companies who experience data breaches.
The trade groups note that the FTC has never specified what it considers reasonable data security standards, but it routinely nails companies (e.g. ChoicePoint and RockYou) following data breaches for not maintaining “reasonable data security standards.” They also note that Congress never gave the FTC the authority to regulate data security. By using the “deceptive practices” language, the FTC is working around that lack of authorization.
Congress continues to debate federal data breach legislation. If (and given this Congress we are talking a gigantic “if” here) legislation is enacted, the FTC may get express authority to regulate this area. But until then, it will be interesting to see how the Wyndham court rules.