The Federal Trade Commission (FTC) filed a civil complaint against Wyndham Worldwide Corporation and affiliated companies (collectively, Wyndham) for failing to implement reasonable data security measures to protect customers’ payment card information. Wyndham’s failure left its network vulnerable to cyber criminals, who accessed Wyndham’s network three times and stole hundreds of thousands of consumers’ information before the FTC filed suit. The FTC asserts that Wyndham engaged in unfair and deceptive practices relating to data security under the FTC Act, 15 U.S.C. § 45. Wyndham moved to dismiss the case.
Public Citizen and Chris Jay Hoofnagle, a lecturer in residence at the University of California, Berkeley School of Law, filed an amicus brief in support of the FTC’s opposition to the motion to dismiss. The brief discussed the substantial harm that consumers are likely to suffer when their financial or other sensitive information is stolen from a company’s computer network. It also explained why FTC enforcement actions such as the one at issue here are critical to redressing the unfair corporate practices that lead to data breaches of consumer information.
The district court denied Wyndham’s motion to dismiss, holding that Section 5 of the FTC Act permits the FTC to bring enforcement actions against companies for unfair or deceptive practices in the data security realm. The court also rejected Wyndham’s alternative argument that the FTC was required to provide notice of its Section 5 authority by promulgating formal regulations before maintaining any enforcement actions.
Wyndham took an interlocutory appeal of the district court’s denial of its motion to dismiss the FTC’s claim that Wyndham’s data security practices constituted an “unfair” practice under Section 5 of the FTC Act. On appeal, Wyndham argued that the FTC’s attempt to regulate corporate data security practices exceeded its statutory authority to regulate unfair business practices, that Wyndham was deprived of fair notice of how the FTC interpreted its regulatory authority with respect to data security, and that no substantial injury occurred to any consumer as a result of the breaches of Wyndham’s computer systems. Public Citizen’s amicus brief explained that the injury to consumers following a corporate data breach includes significant financial, emotional, and time costs, and explained that past FTC enforcement actions involving corporate data security practices similar to those Wyndham is alleged to have maintained provide fair notice of the FTC’s interpretation of its regulatory authority in this area and are critical to protecting consumers. The Third Circuit affirmed the Federal Trade Commission's authority to regulate companies' data security in rejecting Wyndham Worldwide Corp.'s argument that Congress had never intended for the commission to be able to use its unfairness authority to police such practices.