Court Challenge to Scope of FTC Authority to Regulate Data Security

By: Jenna Small


In what is being called “unprecedented litigation,” the FTC has sued Wyndham Worldwide Corporation in federal court, alleging violations of Section 5 of the FTC Act for unfair and deceptive practices regarding Wyndham’s data security measures.  The FTC accused Wyndham of misrepresenting their information security policies and failing to provide sufficient security safeguards, which allegedly resulted in three major network breaches, the exposure of 600,000 credit card accounts and $10.6 million in fraudulent charges.


Wyndham has moved to dismiss the complaint, arguing that the FTC lacks authority to regulate data security standards for all industries under the unfairness prong of Section 5.  Wyndham contends that this is a “classic example of agency overreaching” and the FTC’s authority to regulate data security is limited to those areas where Congress has given the FTC specific rule-making authority (e.g., FCRA, GLBA, COPPA, and HIPAA).  Wyndham also asserts that the theft of credit card data does not constitute “substantial injury” as envisioned by Section 5 because federal law restricts consumer liability for unauthorized payments.


In its opposition to Wyndham’s motion to dismiss, the FTC maintains that Congress deliberately chose not to enumerate specific prohibited practices under Section 5, and thus the agency was delegated broad authority to prohibit unfair practices (citing other established uses of this power absent explicit statutory grants).  They further argue that this sort of systemic injury, a small harm to a large number of consumers, was the type of “substantial injury” contemplated by Congress in enacting the FTC Act.


In the 41 data security enforcement actions to date, the defendants have signed consent decrees with the FTC.  Since this is the first judicial test of the scope of FTC regulatory authority under the unfairness prong, the case may have significant ramifications for the agency’s regulations of data security standards and may ultimately necessitate legislative intervention.


For an article summarizing the complaint and subsequent motions (with links to the briefing), please refer to the following link: