Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

FTC v. Wyndham: Wyndham Calls for Back-Up

Posted in Data Breach Notification, Federal Trade Commission, Privacy Litigation, Privacy Regulation

Written by Adam Veness

It appears that Wyndham Hotel & Resorts LLC (“Wyndham”) has received reinforcements in its defense against the Federal Trade Commission’s (the “FTC”) case.  A federal judge has agreed to allow the U.S. Chamber of Commerce and several other organizations to file an amicus curiae brief in support of dismissing the FTC’s case against Wyndham. Since our last post about this case, Wyndham successfully had the case transferred from an Arizona federal court to a New Jersey federal court, and has requested oral arguments for its Motion to Dismiss filed last year.

In their brief, the U.S. Chamber of Commerce and the other organizations make three primary arguments:

1)      The FTC’s Section 5 authority to prohibit unfair trade practices does not give the FTC authority to establish general data security policy;

2)      Businesses cannot operate effectively and efficiently in an “evolving enforcement” regime; and

3)      Data security policy cannot be developed through unilateral pronouncement by the FTC, without regard for the legislative process.

Their arguments are similar to those made by Wyndham in its Motion to Dismiss, but they take Wyndham’s arguments one step further and focus more on the unfairness and arbitrariness of the FTC’s actions.  The brief argues that the FTC leverages its enforcement authority to extract settlements from businesses that have already been victimized by data security breaches, without formal notice of the standards being used by the FTC in its enforcement. Notably, the brief recognizes that the Wyndham case is among the first data-security “unfairness” proceedings because in the past, the FTC has been able to obtain Section 5 consent orders from the targeted businesses without evaluation by a court.

Without clear standards established by the legislative and judicial processes, the brief argues that there is no advance notice to businesses on what they are required to do to comply with the law in “in a rapidly changing technological environment.”  The brief rejects the FTC’s argument that businesses should focus on the FTC consent orders for guidance on what standards to follow because these standards are often too fact specific based on the case in the consent order, and do not have legislative or judicial oversight.

As a solution, the brief recommends that rather than establishing standards through “agency fiat”, standards should be established through a dialogue with all involved stakeholders, through democratically accountable means.  Indeed, the brief argues that the FTC focus its efforts in Congress to enact legislation to provide the FTC with the authority it seeks, rather than engaging in backdoor rulemaking through its consent orders and without having to answer to Congress or the courts.

The U.S. Chamber of Commerce and other organizations raise some interesting arguments in their brief and they have certainly provided Wyndham with much needed ammunition against the FTC.  It will be interesting to see whether this will be enough to tip the scales in Wyndham’s favor.

 

Earlier Posts:

The FTC Fires Back Against Wyndham (11/2/2012)

Wyndham Motion Puts the FTC on the Defensive (8/31/2012)

FTC Sues Wyndham Hotels (6/27/2012)