Breach, Compliance Management, Data Security, Privacy

Judge denies Wyndham motion challenging FTC authority

A federal judge in New Jersey made a significant ruling that upheld the data security authority of the Federal Trade Commission (FTC).

On Monday, U.S. District Court Judge Esther Salas denied (PDF) Wyndham Worldwide's motion to dismiss FTC claims accusing the hotelier of “unfair” and “deceptive” practices related to its failure to adequately secure consumer data.

According to the FTC, the offenses in the Wyndham case began when Russian hackers breached the hotelier's Phoenix data center in 2008 and stole the financial information of customers, leading to two subsequent breaches in a two-year period.

In the suit filed against Wyndham in June 2012, the FTC alleged that more than $10 million in fraudulent purchases were made by using hundreds of thousands of credit card numbers belonging to customers.

In response, Parsippany, N.J.-based Wyndham, one of the world's largest hospitality companies, objected to the FTC's reliance in this case on its right to enforce “unfair or deceptive acts or practices” related to data security.

Just last Wednesday, FTC Chairwoman Edith Ramirez testified before a Senate committee on the agency's vigilant data security and privacy efforts for consumer protection. Before Senate members, Ramirez said that the FTC had settled 50 cases involving companies that were called to task for failure to provide “reasonable protections for consumers personal information.”

In court documents filed Monday in the FTC-Wyndham case, Judge Salas rejected Wyndham's specific arguments challenging the FTC's authority to make “unfairness” data security claims. In addition, the court rejected Wyndham's argument that the FTC must formally issue regulations before levying such claims.

Lastly, Judge Salas disagreed with Wyndham's reasoning that the FTC pleaded insufficiently to support unfairness or deception claims.

The judge did, however, say that the ruling on Monday did not give the FTC “a blank check to sustain a lawsuit against every business that has been hacked.”

“Instead, the court denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage – in view of binding and persuasive precedent,” Judge Salas' opinion said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.