Third Circuit Gives Green Light to Review Of Wyndham Hotels Data Security Ruling

July 30 — The U.S. Court of Appeals for the Third Circuit July 29 granted a petition by Wyndham Hotels and Resorts LLC for an interlocutory appeal of portions of a district court opinion refusing to dismiss a Federal Trade Commission data security enforcement action against the hotelier .  

The case has been closely watched by businesses and attorneys because it involves one of the only instances of a company challenging the FTC's authority to take action against alleged lax data security practices. The appellate court review of that issue is a first.

FTC Takes Hotelier to Court

The FTC initiated an enforcement action against Wyndham Worldwide Corp. and three of its subsidiaries in 2012, alleging that computer network intrusions led to more than $10.6 million in payment card fraud losses.

Wyndham and its subsidiaries moved to dismiss the case, arguing that the FTC exceeded its congressional authority and that its use of data security enforcement actions lacked regulatory backing and failed to give them notice of which practices were lawful.

On April 7, the U.S. District Court for the District of New Jersey denied a motion to dismiss by Hotels and Resorts, ruling that the FTC has authority under the unfairness prong of Section 5 of the FTC Act, 15 U.S.C. § 45(a), to bring a data security enforcement action against the company (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL 94785 (D.N.J. Apr. 7, 2014)). Specifically, the court said the FTC didn't need express authority from Congress to bring data security enforcement actions under the FTC Act and didn't have to promulgate prior data security regulations.

Trial Court OK'd Interlocutory Review

In a June 23 unpublished opinion, the district court ruled that Hotels and Resorts could seek interlocutory review of portions of the April 7 opinion (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL 174519 (D.N.J. June 23, 2014)).

The district court ordered the following questions to be certified:

  •  “Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).”
  •  “Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).”
  •  

    In separate June 23 unpublished opinion, the district court ruled that the FTC adequately alleged that several Wyndham Hotels entities operated as a common enterprise (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL 173985 (D.N.J. June 23, 2014)).

    Judge Michael A. Chagares issued the Third Circuit order. Judges Thomas L. Ambro and Thomas I. Vanaskie were also on the panel.

    The FTC represented the commission in the Third Circuit matter. Kirkland & Ellis LLP, Gibbons PC and Stanford Law School represented the Wyndham entities.

    Full text of the court's order is available at http://www.bloomberglaw.com/public/document/FTC_v_Wyndham_Worldwide_Corp_et_al_Docket_No_1408091_3d_Cir_Jul_0.