In a precedential ruling, the U.S. Court of Appeals for the Third Circuit has affirmed a lower court ruling that the Federal Trade Commission (“FTC”) has authority to police companies’ data security practices.
The case — FTC v. Wyndham Worldwide Corp., et al — was on appeal from the U.S. District Court for the District of New Jersey, which ruled in April 2014 that the FTC has statutory authority over data security as relates to Section 5 of the FTC Act and cited the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act as complements to this authority.
The FTC filed a complaint against Wyndham in June 2012, alleging that the company had failed to adequately protect its customers’ personal information in violation of Section 5(a) of the FTC Act prohibiting unfair and deceptive practices. According to the FTC complaint, Wyndham’s failures led to three data security breaches that compromised customer credit card information between 2008 and 2010.
In response to the complaint, Wyndham filed a motion to dismiss on the grounds that the FTC lacked authority to bring a Section 5 action and that the agency had failed to formally publish regulations prior to bringing the complaint.
In its April 4, 2014, decision, the New Jersey District Court said that the FTC had fulfilled its obligations to provide fair notice through other means, including public statements, guidance brochures and other publications, noting that, “the issue is whether fair notice requires the FTC to formally issue rules and regulations before it can file an unfairness claim in federal district court. And, to that extent, the Court is not so persuaded.”
In a unanimous decision, the Third Circuit rejected Wyndham’s argument that its data security practices were not an “unfair and deceptive practice,” saying that an act does not have to be “unscrupulous” or “unethical” to be considered unfair. In addition, the Court disagreed with Wyndham’s contention that it was not involved in unfair practices because the company itself was a victim of the data breach and it did not target its customers unfairly. The Court noted that Wyndham itself did not have to be the “most proximate cause” of a customer’s injury to be held liable for that injury.
The attorneys at Glass & Goldberg in California provide high quality, cost-effective legal services and advice for clients in all aspects of commercial compliance, business litigation and transactional law. Call us at (818) 888-2220, send an email inquiry to info@glassgoldberg.com or visit us online at glassgoldberg.com to learn more about the firm and to sign up for future newsletters.
