New Jersey District Court Affirms FTC’s Enforcement Authority Over Data Security Practices, Wyndham Case Proceeds

A New Jersey District Court recently upheld the Federal Trade Commission’s authority to bring enforcement actions alleging that a company has failed to maintain reasonable and appropriate data security measures and denied Wyndham Worldwide Corporation’s motion to dismiss the FTC’s complaint against the hotel chain based on a recent data security breach. In its decision, the court rejected Wyndham’s contention that the FTC had overstepped its statutory authority. Instead, the court found that the FTC’s regulation of data security under Section 5 of the FTC Act does not conflict with congressional policy and may coexist alongside the existing federal statutory schemes that protect certain health, financial, and other subsets of data.

Moreover, the court determined that the FTC was not required to formally issue rules and regulations specifying the steps companies need to take in order to implement “reasonable” data security practices. According to the court, regulations are not the only means of providing sufficient fair notice: Plaintiffs themselves cited to standard industry guidance, the FTC’s business guidance brochure, and the FTC’s public complaints and consent orders from previous enforcement actions.

Tip: The FTC has continued to bring cases against companies that it believes have provided insufficient privacy protection to consumers since Wyndham originally filed suit challenging the FTC’s authority. This case provides further support for the FTC’s perspective that it has the authority to bring these cases and puts companies on notice that it will continue to do so.