Thought Leadership

Wyndham Ruling Questions FTC's Past Approach to Data Security Regulation

September 22, 2015 Advisory

Although the Federal Trade Commission (FTC) was widely hailed as the victor in a recent federal appeals court ruling allowing the FTC’s data security breach case to proceed against Wyndham Worldwide Corporation, the decision raises questions about how the FTC has historically regulated information and data security practices.

On August 24, 2015, the Third Circuit Court of Appeals issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, rejecting the defendant’s preliminary bid to end the suit accusing it of failing to protect its computers from hackers. Since then, much of the coverage has focused on reports that the Third Circuit acknowledged the authority of the FTC to proceed with a claim that the defendant engaged in unfair practice under Section 5 of the Federal Trade Commission Act (FTCA), which prohibits unfair and deceptive trade practices that cause consumer harm. In particular, the FTC asserted a violation of the FTCA as a result of repeated data theft by hackers.

Perhaps more notable, and as observed by a minority of commentators, such as Justin Hurwitz of Nebraska College of Law on the website, is what the Wyndham decision says about the FTC’s past approach to regulating information and data security practices. Since 2005, the FTC has been pursuing claims against companies with allegedly deficient cybersecurity practices and has resolved many of those claims with consent decrees in administrative cases. The FTC also published a guidebook of practices for a sound data security plan. The FTC has relied on these materials as a type of general law of data security.

The Third Circuit’s opinion, however, is critical of the FTC’s reliance on this so-called common law. Specifically, the Third Circuit observed that the consent decrees, "were of little use to [Defendant] in trying to understand the specific requirements imposed by [the FTCA]" and that "it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees." Similarly, the appeals panel observed that "the guidebook could not, on its own, provide ‘ascertainable certainty’ of the FTC’s interpretation of what specific cybersecurity practices fail [the FTCA]."

Accordingly, although the Third Circuit’s opinion in Wyndham affirms the FTC’s authority in the area of information and data security, it calls into question the body of general law regarding information and data security upon which the FTC has historically relied. Furthermore, because the issues addressed by the Third Circuit came up in the context of a motion to dismiss, in which the appeals panel was required to treat all allegations in the complaint as true, the case is far from over and the veracity of the FTC’s allegations and the merit of the FTC’s theories have yet to be proven. In light of the FTC’s ongoing activity in the area of cybersecurity, the Wyndham case is one that members of Armstrong Teasdale’s Privacy and Data Security Group will continue to monitor.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware