Federal Judge Rules Against Claims that FTC Lacks Power to Regulate Data Security
Yesterday, the judge in Federal Trade Commission (FTC) v. Wyndham delivered a strong win for the FTC, denying Wyndham’s claim that the agency lacked the authority to regulate data security. The opinion denied in full Wyndham’s motion to dismiss the case. The case will go to trial, but the judge’s rulings bode well for the FTC’s chances of victory.
The case concerns the Wyndham hotel chain’s poor data security practices, which allowed unauthorized hackers to breach Wyndham’s security systems on three separate occasions, giving them access to hotel guests’ credit card information. The company failed to encrypt payment data and used default logins and passwords, leading to multiple breaches that exposed consumers to very real harms. Beyond dismissing Wyndham’s claim that the FTC can’t regulate data security cases, the judge’s opinion systematically refutes Wyndham’s other claims that the FTC needs to promulgate rules in order to provide fair notice and that the agency failed to make sufficiently specific allegations concerning the security practices and breaches for a federal lawsuit.
We’ve written before about how vital it is for the FTC to have the authority to regulate data security. The Wyndham case was an egregious instance of poor data security practices that harmed consumers. In the months since the case was filed, multiple high-profile data breaches have demonstrated the real need for strong security protections to reduce the risk of unauthorized access. The FTC plays a vital role in ensuring that companies create and update those protections.
While the court’s decision is welcome in its determination that the FTC can seek enforcement actions against poor data security practices, we have echoed the calls of FTC Chair Edith Ramirez for stronger FTC authority in this area, and in protecting consumer privacy generally. Allowing the FTC to promulgate rules and seek civil penalties for initial violations of the FTC Act would promote stronger consumer privacy practices by companies, and would signal to the American public and the world at large that the U.S. takes issues of data privacy and security seriously. We hope that the FTC will continue to play an important role in promoting these values.