The first-ever case to legally challenge the Federal Trade Commission's authority to regulate data security practices did not end well for companies, potentially opening the door to more cyber-security compliance and legal risks.

On April 7, U.S. District Court Judge Esther Salas of the District of New Jersey ruled that the FTC could move forward with its lawsuit against Wyndham Worldwide over allegations that the global hospitality company's data security practices violated Section 5 of the FTC Act, which bars unfair and deceptive acts and practices.

The case, FTC v. Wyndham Worldwide, is the latest saga in a complaint the FTC filed against Wyndham in June 2012 over allegations that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information. The FTC further alleged in its complaint that Wyndham's failure to remedy known security vulnerabilities, and failure to employ reasonable measures to detect unauthorized access, led to three data breaches at Wyndham hotels in less than two years.

The first breach, which occurred in April 2008, led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers' payment card account numbers to a domain registered in Russia. The second and third breaches, which occurred in 2009, enabled hackers to access more than 119,000 consumer payment card accounts and make fraudulent purchases with those accounts.

In the opinion, Salas disagreed with Wyndham's argument that the FTC overstepped its authority by alleging that the inadequate data security practices constituted “unfair” practices under the FTC Act, ruling that the court would not “carve out a data-security exception to the FTC's authority.”

“This decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” Salas stressed. “Instead, the court denies a motion to dismiss given the allegations in this complaint, which must be taken as true at this stage, in view of binding and persuasive precedent.”

The case will now proceed on the issue of whether Wyndham's data security practices constituted a Section 5 violation.   

In a statement, Wyndham said it plans to vigorously defend its position. “We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," the company stated.

The case against Wyndham is part of the FTC's ongoing efforts to make sure that companies live up to the promises they make about privacy and data security. As of May 2011, the FTC has brought 32 legal actions against organizations that have violated consumers' privacy rights, or misled them by failing to maintain security for sensitive consumer information.

As a result, taking the proper steps to avoid an FTC investigation is more important than ever. “They should carefully review their data handling practices to ensure that they are in accord with their privacy policy,” says Sanjay Nangia, an associate with law firm Davis Wright Tremaine. “Further, they would be wise to invest in the necessary resources required to safeguard data and regularly ensure that their methods are state-of-the-art.”

Topics