FTC V. WYNDHAM WORLDWIDE CORPORATION, ET AL. AND THE FTC’S AUTHORITY TO REGULATE COMPANIES’ DATA SECURITY PRACTICES
By Kathryn F. Russo1
In a landmark decision, FTC v. Wyndham Worldwide Corp.,2 a federal court held for the first time, that the FTC has authority under Section 5 of the Federal Trade Commission Act3 to enforce the prohibition against unfair and deceptive acts or practices in the field of data security. Although the FTC has brought data security enforcement actions against companies under Section 5 for over a decade, the Wyndham decision is significant because it is the first time a federal court has held, in the face of robust opposition, that the FTC has authority under Section 5 to bring such actions. As detailed below, the FTC alleged that Wyndham’s failure to maintain reasonable data security standards violated Section 5 of the FTC Act.4 In response, Wyndham filed a motion to dismiss arguing, among other things, that (i) the FTC lacks authority to regulate data security under Section 5 of the FTC Act, (ii) the FTC failed to provide fair notice of what constitutes reasonable data security standards, and (iii) Section 5 does not govern the security of payment card data.5 The District Court denied Wyndham’s motion to dismiss and held, among other things, that (i) the FTC has authority pursuant to Section 5 of the FTC Act to assert an unfairness claim in the data security context, (ii) the FTC provided fair notice of what constitutes an unfair data security practice and is not required to issue regulations before bringing an unfairness claim, and (iii) the FTC’s complaint sufficiently plead an unfairness claim under the FTC Act.6 Because some California courts of appeal have applied the FTC’s three-prong definition of unfair, the Wyndham decision has implications on California’s Unfair Competition Law as well.
Although the District Court held that the FTC has authority under Section 5 to bring data security actions against companies, it is important to note that the Court’s opinion is in the context of a motion to dismiss. The issue as to whether there was substantial injury to consumers will need to be litigated. Additionally, the Court makes clear that its decision is not a "blank check" for the FTC to bring lawsuits against any company that has experienced a data breach. 7