FTC v. Wyndham: The FTC Has Authority to Regulate Cybersecurity Breaches

In an historic decision with wide-reaching ramifications for data privacy and security, the Third Circuit Court of Appeals has affirmed the Federal Trade Commission’s authority to regulate cyberspace under the “unfair and deceptive acts” provision in § 5 of the FTC Act (FTC v. Wyndham). 

The appellate court’s ruling is the latest development in the ongoing saga of FTC v. Wyndham Hotels, a pivotal suit concerning the Commission’s ability to hold Wyndham Hotels accountable for three different data breaches that occurred over the space of two years. The FTC is alleging that the breaches, which resulted in millions of dollars in fraudulent charges billed to Wyndham guests’ credit cards, were a direct result of shoddy cybersecurity practices on the part of Wyndham and three subsidiaries. In a 2014 motion to dismiss, Wyndham asked a New Jersey district court to throw out the FTC’s suit, questioning the Commission’s authority to regulate data privacy practices under the FTC ACT and raising issues around whether or not the FTC’s provisions provided fair notice of a failure in compliance. The district court denied the motion, and the Third Circuit heard an immediate appeal on “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”

On August 24, 2015, the Third Circuit affirmed the denial of Wyndham’s motion to dismiss.  Judge Thomas Ambro’s opinion confirmed the FTC’s ability to prosecute cybersecurity practices under the FTC Act, and claimed that the FTC’s past actions, investigations and public statements combined with the Act itself provided ample notice of potential liability. While the litigation will continue, the Third Circuit’s opinion cements the FTC’s authority in the data privacy arena and underscores the importance of developing and following commercially reasonable technical, physical, and administrative security measures with regard to personally identifiable information

Read the full opinion here.

DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.