Wyndham Motion Puts The FTC On The Defensive

Author:Mr Adam Veness
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Wyndham Hotel & Resorts LLC ("Wyndham") has filed a Motion to Dismiss the Federal Trade Commission's (the "FTC") Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008.  More information about the FTC's Complaint can be seen in an earlier blog post here.

The Wyndham counter-volley takes an interesting approach.  In its Motion, Wyndham argues that the FTC lacks authority under Section 5 of the FTC Act to regulate data security standrads.  Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce."  Notably, Wyndham does not dispute that the FTC may bring enforcement actions against companies that make "deceptive" statements to consumers, i.e., misleading statements in a company's privacy policy.  Wyndham contends, however, that the FTC is overextending its authority to regulate "unfair" acts or practices by attempting to regulate data security standards for the private sector.

As an example, Wyndham lists various statutes that grant the FTC explicit authority to regulate data security standards in specific contexts:

 The Fair Credit Reporting Act – imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies; The Gramm-Leach-Bliley Act – mandates data-security requirements for financial institutions; and  The Children's Online Privacy Protection Act – requires websites to establish and maintain reasonable procedures to protect the confidentiality and security of information gathered from children. Wyndham asserts that the FTC's authority to regulate data security standards is limited to specific circumstances, and that Section 5 of the FTC Act does not provide the FTC with...

To continue reading