Judge Green Lights FTC's Data Security Case Against Wyndham Worldwide

April 8, 2014 Advisory

On April 7, the U.S. District Court for the District of New Jersey ruled that the Federal Trade Commission should be allowed to proceed with its case against Wyndham Worldwide Corp., the hotel franchisor, for allegedly failing to safeguard consumers' personal information.

Between April 2008 and January 2010, Wyndham experienced three major data breaches that led to more than $10 million in fraudulent charges. Hackers broke into Wyndham's computer system, as well as systems at several of its individual hotels, stealing credit- and debit-card numbers on hundreds of thousands of consumer accounts. The FTC accused Wyndham of failing to provide adequate security for the central reservation computer system and filed suit in 2012. Specifically, the FTC's complaint seeks to impose responsibility for inadequate data security on Wyndham as a franchisor for alleged data security failures at its subsidiaries and at Wyndham's franchised hotel properties. Wyndham moved to dismiss the lawsuit, arguing that the FTC "lacks the authority to pursue this type of case against businesses, and has failed to publish any regulations that would give businesses fair notice of any proposed standards for data security." Judge Esther Salas explained that she was "unpersuaded that regulations are the only means of providing sufficient fair notice."

While Judge Salas did not rule on the specific allegations, the decision to green light the case could help clarify the FTC's role in data breach cases moving forward. The FTC recently marked its 50th enforcement proceeding involving claims that inadequate data security measures by private sector businesses constitute an unfair business practice [1]. For the time being, at least, the decision bolsters the FTC's emerging role as chief cybersecurity enforcer under the authority of Section 5 of the Federal Trade Commission Act.

In deciding that the FTC's enforcement action could proceed against Wyndham, the court also determined that the FTC's claim that the differences between promises Wyndham made in its privacy policy and the company's actual data security practices were sufficient to support a deceptive practices claim under the FTC Act. FTC Chairwoman Edith Ramirez said that she was "pleased that the court has recognized the FTC's authority to hold companies accountable for safeguarding consumer data."

The FTC's authority has been challenged in this area before. While it has brought dozens of data privacy cases, questions remain about its authority in the realm of data security. For example, last year medical testing company LabMD brought a similar defense after the FTC filed a complaint alleging that the company failed to reasonably protect the security of consumers' personal data, including medical information. The FTC alleged that in two separate incidents, LabMD exposed the personal information of approximately ten thousand consumers. LabMD argued that the FTC's complaint was "in excess of statutory authority and short of statutory right." However, in January 2014 the FTC rejected LabMD's move to dismiss the complaint; and in March of this year, LabMD responded with a motion for a preliminary injunction asking the U.S. District Court for the Northern District of Georgia to suspend the FTC's enforcement action. LabMD closed in January.

The case is Federal Trade Commission v. Wyndham Worldwide Corporation et al., U.S. District Court for the District of New Jersey, case no. 13-cv-1887.

[1] See FTC, Commission Statement Marking the FTC's 50th Data Security Settlement (Jan. 31, 2014).