Editor’s Note: Wyndham’s Motion to Dismiss, filed by Kirkland and Ellis, is attached here. It should be argued, in disagreement with the views expressed below, that agencies have as yet untapped authority to regulate data security, at least with respect to data that the agencies use or rely on in public information disseminations, see here and here.
From: Manatt Phelps & Phillips LLP
The Federal Trade Commission lacks the authority to regulate the data security practices of private companies, Wyndham Hotel & Resorts argued in a recent motion to dismiss a suit brought against it by the agency.
In July, the FTC filed a complaint against Wyndham alleging that the hotel chain violated Section 5 of the FTC Act by misrepresenting the security measures in the company’s privacy policy and failing to protect customer information. The hotel suffered three data security failures in less than two years and caused millions of dollars in loss, the agency said.
But coming out swinging, Wyndham argued to the Arizona federal court that the FTC lacked authority to regulate data security practices and that the case should be dismissed. “Relying on Section 5’s prohibition on ‘unfair’ trade practices – which has traditionally been read to prohibit certain unconscionable or oppressive acts toward consumers – the FTC assumes that it has the statutory authority to do that which Congress has refused: establish data security standards for the private sector and enforce those standards in federal court,” according to Wyndham’s brief.
According to Wyndham, the agency’s enforcement authority is limited in light of several pieces of legislation prescribing very specific data security standards for certain elements of the private sector that are subject to FTC enforcement authority. It cites as examples the agency’s authority to enforce the requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies under the Fair Credit Reporting Act; the agency’s authority to promulgate its COPPA Rule under the Children’s Online Privacy Protection Act, which sets the boundaries for information collection from children; and the agency’s mandate to enforce data security requirements for financial institutions under the Gramm-Leach-Bliley Act.
The grant of authority delegated in those statutes would be “entirely superfluous” if the agency had all-encompassing powers to regulate data security for all companies and those statutes “are powerful evidence that the FTC lacks authority to regulate data security practices in cases (like this one) that fall outside the confines of these narrow delegations,” the brief contends.
Even if Section 5 granted the agency the authority to mandate data security standards, the FTC would have to establish such standards through rulemaking rather than adjudication like the suit brought against it, Wyndham added.
Wyndham also noted that the agency itself disclaimed the authority to promulgate all-encompassing data security standards in a 2000 report on information security, requesting the passage of legislation to provide it with the authority to issue detailed standards on the issue.
Why it matters: If the court were to grant Wyndham’s motion, the implications would be far-reaching. A limitation on its authority would create real hurdles to the regulation of data security and privacy, an area of particular focus for the agency.
Leave a Reply