April 23, 2014

Wyndham Motion Puts the FTC on the Defensive

Wyndham Hotel & Resorts LLC (“Wyndham”) has filed a Motion to Dismiss the Federal Trade Commission’s (the “FTC”) Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008.  More information about the FTC’s Complaint can be seen in an earlier blog post here.

The Wyndham counter-volley takes an interesting approach.  In its Motion, Wyndham argues that the FTC lacks authority under Section 5 of the FTC Act to regulate data security standrads.  Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Notably, Wyndham does not dispute that the FTC may bring enforcement actions against companies that make “deceptive” statements to consumers, i.e., misleading statements in a company’s privacy policy.  Wyndham contends, however, that the FTC is overextending its authority to regulate “unfair” acts or practices by attempting to regulate data security standards for the private sector.

As an example, Wyndham lists various statutes that grant the FTC explicit authority to regulate data security standards in specific contexts:

  •  The Fair Credit Reporting Act – imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
  • The Gramm-Leach-Bliley Act – mandates data-security requirements for financial institutions; and
  •  The Children’s Online Privacy Protection Act – requires websites to establish and maintain reasonable procedures to protect the confidentiality and security of information gathered from children.

Wyndham asserts that the FTC’s authority to regulate data security standards is limited to specific circumstances, and that Section 5 of the FTC Act does not provide the FTC with the broad authority upon which it relied in bringing its enforcement action against Wyndham.

As further support for its claim, Wyndham cites the FTC’s Report to Congress in 2000 (the “Report”).  In the Report, the FTC admitted that it “lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites, or portions of their Web sites, not directed to children.”  What’s more, in the Report, the FTC asked Congress to enact broader legislation requiring websites to “take reasonable steps to protect the security of the information they collect from consumers” and “provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.”

The implications of Wyndham’s Motion are far-reaching.  Indeed, if the court finds for Wyndham and dismisses the FTC’s enforcement action, the FTC will likely have a tough road ahead when attempting to settle future claims with companies that have suffered from data breaches as a result of inadequate data security standards.  Such a ruling for Wyndham could potentially provide enough ammunition to prompt Congress to step in and grant the FTC the authority that it requested over a decade ago in the Report.  Wyndham’s Motion brings to light a possible gap in the FTC’s authority to regulate data security standards, despite all of the settlements that the FTC has made with companies on the basis of that authority.

This is an argument worth watching.  Stay tuned.

©1994-2014 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Adam Veness, Securities, Attorney, Mintz Levin, Law Firm

Adam’s practice focuses primarily on securities offerings, securities compliance and venture capital financings. He represents companies in all stages of the business life cycle, from start-ups and emerging growth companies to established public companies. 

Adam was a Summer Associate at Mintz Levin in 2009. Before rejoining Mintz Levin, Adam worked at a litigation boutique where he represented businesses in a variety of civil litigation, including employment matters and construction litigation. His professional experience also includes clerking for the...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.