December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 06, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Breaking News: FTC vs. Wyndham Update - Privacy Monday - August 24, 2015

Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.

Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit.   Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.

For all the background leading up to today’s ruling, we send you back to our April 2014 post  summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint.  The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures.  The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers.  Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.

The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”

This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume V, Number 236
Advertisement

About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement
Advertisement