For the first time, a business challenged the very authority of the FTC to regulate the data security practices of private businesses in FTC v. Wyndham Worldwide Corp. No. 2:13cv1887 (D.N.J. 2014). The FTC alleged that franchisor Wyndham Hotels and Resorts, along with its affiliates, engaged in deceptive practices by misrepresenting that it used “industry standard practices” and “commercially reasonable efforts” to secure the data it collected from guests and in unfair practices by failing to protect customer data. Between 2008 and 2010, a criminal organization hacked into the property management system multiple times and accessed credit card information from several hundred thousand guests. For its remedies, the FTC sought both monetary damages and a permanent injunction requiring Wyndham and its franchisees to better secure their systems. The FTC has been increasingly aggressive in bringing enforcement actions against private businesses under the FTC Act following data privacy and security breaches. Because these actions generally have been resolved through settlements and consent decrees, there are very few court opinions defining the boundaries of FTC authority in this area. In fact, Wyndham was the first company to overtly challenge the FTC’s authority to regulate and impose data security standards on businesses through enforcement actions under the FTC Act. In a motion to dismiss that was denied in April 2014, Wyndham essentially argued that Congress never granted the FTC such broad authority to regulate in this area, and even if it did, the FTC has not provided businesses with fair notice of what data security practices it believes the FTC Act forbids or requires. A court decision in favor of Wyndham and limiting the FTC investigative and enforcement powers would have had a profound impact on data privacy and security law enforcement. But the court denied Wyndham’s motion and affirmed the FTC’s enforcement authority including claims of inadequate data security.
30
Made with FlippingBook - Online Brochure Maker