Hotelier Wyndham Worldwide Corp’s motion to dismiss an FTC lawsuit alleging lax data security practices is likely to have significant implications for the agency’s ability to police cybersecurity practices at American businesses.

The FTC complaint alleges that the hotel chain did not provide adequate data security, leaving customers’ payment card numbers vulnerable to hacking. According to the FTC, the alleged security breaches, which took place over a period of two years, led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia. The FTC is asking a New Jersey federal court to require Wyndham to beef up its security practices. It is also seeking damages and an injunction to prevent Wyndham from future conduct that would violate the Federal Trade Commission Act.

Wyndham moved to dismiss the FTC’s complaint on the grounds that it exceeds the agency’s power and that the case was brought without any FTC guidance on what security practices the business should be adopting. Wyndham argued that Congress has not explicitly granted any Washington agency the authority to regulate corporate cybersecurity or order them to beef up their security. The FTC, on the other hand, argues that "[t]he case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security." Specifically, the agency said that the hotel engaged in both deceptive and unfair business practices by telling customers it used "standard industry practices" to protect their private information, when in fact its steps were not reasonable or appropriate in the agency’s eyes.

Although the FTC has brought numerous cybersecurity enforcement actions against companies on the premise that those companies engaged in unfair or deceptive practices by not taking adequate steps to protect consumers, this is the first time a federal judge will weigh in on the scope of the FTC’s powers in this area.