On March 3, the Third Circuit heard oral argument in FTC v. Wyndham, a case that is being closely followed by the privacy and data security community. Wyndham is challenging the Federal Trade Commission’s (“FTC”) authority to regulate data security.
Since 2002, the FTC has been utilizing Section 5(a) of the FTC Act’s prohibition on “acts or practices in or affecting commerce” that are “unfair” or “deceptive” to prosecute companies for data security practices that put consumers’ personal data at risk. Most of these cases were settled.
The hotelier, however, is fighting back and challenging the agency’s authority to police data security and prosecute companies for cybersecurity breaches.
The FTC filed suit against Wyndham Worldwide Corporation and three of its subsidiaries in 2012 for alleged data security failures that led to $10.6 million in fraud loss.
Wyndham filed a motion to dismiss, arguing that the FTC does not have purview over data security and, even if it did, the principles of fair notice require that the FTC establish regulations or guidelines explaining what standards it expects private parties to adhere to before it can bring an enforcement action.
The U.S. District Court of New Jersey denied Wyndham’s motion, and Wyndham appealed the decision to the Third Circuit. Many expect that the Third Circuit will affirm the district court’s decision; however, judging by oral argument, the case does not appear to be a clear victory for the FTC.
At oral argument, the judicial panel focused on whether the FTC can bring a case to federal court without first declaring, through rulemaking or administrative decisions, what cybersecurity practices are unfair. The panel also questioned whether the FTC was asking the courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance and if the courts have the authority to make such a ruling.
At the court’s request, the parties filed supplemental briefing on these issues yesterday.
Though the Third Circuit’s decision will only be binding within that circuit, its opinion will no doubt be influential across the nation. Another challenge was mounted to the FTC’s authority by LabMD. In that case, the FTC brought an administrative enforcement action against the company and, earlier this year, the Eleventh Circuit ruled that LabMD must first go through the FTC administrative hearing process and await a final decision by the FTC before it can ask the federal courts to weigh in on the FTC’s authority.
If the Third Circuit rules in favor of Wyndham, there will be no federal regulator with the power to broadly oversee privacy and data security. The FTC has repeatedly called for legislation that would strengthen its authority governing data security standards, and require companies to provide notification to consumers affected by a data breach; though several bills have been proposed, nothing has come to fruition. Congress will have to act fast to put appropriate measures in place to fill in the gap.