The FTC Fires Back Against Wyndham

Author:Mr Adam Veness
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The Federal Trade Commission (the "FTC") has filed its response to the Wyndham Hotel & Resorts LLC's ("Wyndham") Motion to Dismiss.  More information about Wyndham's Motion can be seen in an earlier blog post here.

In its response, the FTC rebuts Wyndham's Motion and argues three main points:

the FTC has authority to pursue unfair and deceptive practices claims related to data security; unfairness actions related to data security do not require rulemaking; and the injury resulting from a payment card breach is sufficient for FTC to pursue its claims. As support for its first point, the FTC asserts that it has authority to pursue unfair practices claims related to data security under Section 5 of the FTC Act because "Congress purposefully delegated broad power to the FTC under Section 5 of the FTC Act to address unanticipated practices in a changes economy."  The FTC further rejects Wyndham's claim that the FTC disclaimed its authority over unfair practices related to data security in its FTC's Report to Congress in 2000 (the "Report").  On the contrary, the FTC argues that Wyndham has mischaracterized the Report.  Although the Report states that FTC authority under Section 5 is limited to unfair or deceptive practices, this would only prohibit FTC enforcement actions in situations when the failure to adopt certain policies occurred without unfair or deceptive practices.

In further support of its first point, the FTC asserts that other data security statutes do not limit the FTC's authority under the FTC Act.  The FTC points out that there is no contradiction between the various data security statutes and the FTC Act, and that those statutes only provide the FTC with greater authority in limited contexts.  In addition, although Congress has repeatedly attempted to pass further...

To continue reading