FTC May Have Authority to Regulate Companies’ Data Security Practices

March 5, 2015 | By Lawrence J. Tabas

Between 2008 and 2010, hackers stole credit card information from the computer network of Wyndham Hotels & Resorts LLC (“Wyndham”), which affected hundreds of thousands of Wyndham’s customers in the process. The Federal Trade Commission (the “FTC”) took action and filed suit against Wyndham in U.S District Court, alleging that Wyndham violated Section 5 of the FTC Act by failing to take reasonable measures to protect customers’ credit card information.

Wyndham has taken the position that the FTC does not have the authority to regulate the data security practices of companies. U.S. District Court Judge, Esther Salas, found otherwise. This issue is now before the Third Circuit.

Section 5 of the FTC Act makes unlawful “unfair or deceptive acts or practices in or affecting commerce.” The FTC argues that Wyndham’s lack of security measures constitutes an “unfair practice.” In a brief recently filed with the Third Circuit, the FTC states that “Wyndham ignored multiple warning signs that its network had been compromised, and it failed to address repeated and obvious security lapses that left its computer networks vulnerable to intruders. As a result, hackers infiltrated Wyndham’s computer network and stole customer credit card information, which was used to make millions of dollars in fraudulent charges on the accounts of Wyndham’s customers.”

Wyndham argues in its brief to the Third Circuit that “the FTC has never identified any standard, or otherwise provided any meaningful guidance, regarding what cybersecurity measures are ‘reasonable and appropriate.’ In the absence of such guidance, businesses cannot conform their conduct to the law, and are subject to enforcement at the FTC’s whim—the very antithesis of the rule of law.”

The Third Circuit heard oral arguments this week, where counsel was asked to discuss the following questions:

  1. Has the FTC declared that unreasonable cybersecurity practices are “unfair,” 15 U.S.C.  § 45(a), through the procedures provided in the FTC Act, 15 U.S.C. §§ 41-58?
  2. Assuming it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)?

This case is noteworthy because the result may greatly impact a company’s cybersecurity practices. The Health Law Gurus™ will continue to follow this case. Check back regularly for updates.

Do you think the FTC should have the authority to regulate a company’s data security practices?

For more information about this case, to read the District Court’s Opinion, and to read the FTC’s complaint and Third Circuit Brief, click here.

Categorized In: Cybersecurity

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author