FTC Wins Important Victory in Wyndham
Wyndham Hotels and Resorts has lost round one in its assault on the FTC’s authority to regulate data security. Wyndham had challenged the FTC’s authority to bring a complaint for unfair and deceptive practices “in connection with Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”
The FTC had cited Wyndham because intruders gained access to their network on three separate occasions involving similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels’ property management system servers, including customers’ payment card account numbers, expiration dates, and security codes. The FTC charged that after first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [their] network.”
Wyndham fought back charging that the FTC was overstepping its authority in this area, but the court rejected this argument — at least for now.
Hotels and Resorts characterizes this case as the first instance where “the FTC is asking a federal court to hold that Section 5 of the FTC Act—a 1914 statute that prohibits ‘unfair and deceptive acts or practices’—authorizes the Commission to regulate the sophisticated technologies that businesses use to protect sensitive consumer information.” Hotels and Resorts asserts that the FTC’s action “is the Internet equivalent of punishing thelocal furniture store because it was robbed and its files raided.” (Id. at 21).But Hotels and Resorts’ motion to dismiss demands that this Court carve out a data-security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into uncharteredterritory. And, after having wrestled with arguments in the parties’ initial briefing, oral argument, supplemental briefing, as well as in several amici submissions, the Court now endeavors to explain why Hotels and Resorts’ demands are inconsistent with governing and persuasive authority.
To be sure, the Court does not render a decision on liability today. Instead, it resolves amotion to dismiss a complaint. A liability determination is for another day. And this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the Court denies a motion to dismiss given the allegations in this complaint— which must be taken as true at this stage—in view of binding and persuasive precedent.