Written by Adam Veness
Wyndham Hotel & Resorts LLC (“Wyndham”) has filed a Motion to Dismiss the Federal Trade Commission’s (the “FTC”) Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008. More information about the FTC’s Complaint can be seen in an earlier blog post here.
The Wyndham counter-volley takes an interesting approach. In its Motion, Wyndham argues that the FTC lacks authority under Section 5 of the FTC Act to regulate data security standards. Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Notably, Wyndham does not dispute that the FTC may bring enforcement actions against companies that make “deceptive” statements to consumers, i.e., misleading statements in a company’s privacy policy. Wyndham contends, however, that the FTC is overextending its authority to regulate “unfair” acts or practices by attempting to regulate data security standards for the private sector.
As an example, Wyndham lists various statutes that grant the FTC explicit authority to regulate data security standards in specific contexts:
- The Fair Credit Reporting Act – imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
- The Gramm-Leach-Bliley Act – mandates data-security requirements for financial institutions; and
- The Children’s Online Privacy Protection Act – requires websites to establish and maintain reasonable procedures to protect the confidentiality and security of information gathered from children.
Wyndham asserts that the FTC’s authority to regulate data security standards is limited to specific circumstances, and that Section 5 of the FTC Act does not provide the FTC with the broad authority upon which it relied in bringing its enforcement action against Wyndham.
As further support for its claim, Wyndham cites the FTC’s Report to Congress in 2000 (the “Report”). In the Report, the FTC admitted that it “lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites, or portions of their Web sites, not directed to children.” What’s more, in the Report, the FTC asked Congress to enact broader legislation requiring websites to “take reasonable steps to protect the security of the information they collect from consumers” and “provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.”
The implications of Wyndham’s Motion are far-reaching. Indeed, if the court finds for Wyndham and dismisses the FTC’s enforcement action, the FTC will likely have a tough road ahead when attempting to settle future claims with companies that have suffered from data breaches as a result of inadequate data security standards. Such a ruling for Wyndham could potentially provide enough ammunition to prompt Congress to step in and grant the FTC the authority that it requested over a decade ago in the Report. Wyndham’s Motion brings to light a possible gap in the FTC’s authority to regulate data security standards, despite all of the settlements that the FTC has made with companies on the basis of that authority.
This is an argument worth watching. Stay tuned.