Third Circuit Court of Appeals to Consider FTC Data Security Authority
The U.S. Court of Appeals for the Third Circuit this week agreed to consider whether the Federal Trade Commission has the authority to regulate companies’ data security practices.
On Tuesday, the Third Circuit granted Wyndham Hotel and Resorts’ petition for interlocutory review of Judge Esther Salas’s denial of a motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information. Although Salas’s opinion is not binding, it received considerable attention because it was the first court opinion to decide whether the “unfairness” prong of the Section 5 of the FTC Act provides the Commission with the authority to bring actions involving data security.
Denials of motions to dismiss are not immediately appealable, absent permission from both the district court and appeals court. Salas certified the case for appeal in June, reasoning that there is substantial ground for differences of opinion on: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.
In a brief to the Third Circuit last month, the FTC stated that although the case does not meet all of the requirements for interlocutory review, the legal issues are important and would benefit from review by an appellate court. A Third Circuit order affirming Judge Salas’s opinion “would advance the public interest by removing the uncertainty that Wyndham is attempting to generate regarding the Commission’s statutory authority to protect consumers from unreasonable and harmful data security lapses,” the FTC wrote.
In an amicus brief supporting Wyndham’s petition for review, the U.S. Chamber of Commerce wrote that “companies currently struggle to decipher coherent standards from the FTC’s dozens of consent orders and previous pronouncements on data security, and to accommodate those dictates with other security regulations and risk management protocols.”
Assuming that the Third Circuit publishes its opinion in this case, the ruling would be binding in Delaware, New Jersey, and Pennsylvania.