Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.
Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit. Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.
For all the background leading up to today’s ruling, we send you back to our April 2014 post summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint. The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures. The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers. Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.
The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”
This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.