Federal Trade Commission authority over data security breaches

Federal Appellate Court to Consider FTC Data Security Authority

The U.S. Court of Appeals for the Third Circuit this week agreed to consider whether the Federal Trade Commission has the authority to regulate companies’ data security practices.

On Tuesday, the Third Circuit granted Wyndham Hotel and Resorts’ petition for interlocutory review of Judge Esther Salas’s denial of a motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information.   Although Salas’s opinion is not binding, it received  considerable attention because it was the first court opinion to decide whether the “unfairness” prong of the Section 5 of the FTC Act provides the Commission with the authority to bring actions involving data security.

Denials of motions to dismiss are not immediately appealable, absent permission from both the district court and appeals court.  Salas certified the case for appeal in June, reasoning that there is substantial ground for differences of opinion on: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.

In a brief to the Third Circuit last month, the FTC stated that although the case does not meet all of the requirements for interlocutory review, the legal issues are important and would benefit from review by an appellate court.  A Third Circuit order affirming Judge Salas’s opinion “would advance the public interest by removing the uncertainty that Wyndham is attempting to generate regarding the Commission’s statutory authority to protect consumers from unreasonable and harmful data security lapses,” the FTC wrote.

In an amicus brief supporting Wyndham’s petition for review, the U.S. Chamber of Commerce wrote that “companies currently struggle to decipher coherent standards from the FTC’s dozens of consent orders and previous pronouncements on data security, and to accommodate those dictates with other security regulations and risk management protocols.”

Assuming that the Third Circuit publishes its opinion in this case, the ruling would be binding in Delaware, New Jersey, and Pennsylvania.


Free Consultation

Se Habla Español

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.
I have read the disclaimer

Areas Represented

Our consumer protection, collection abuse and class action law firm, attorneys and lawyers represent clients throughout Illinois and Wisconsin including, but not limited to Chicago, Elgin, Aurora, Schaumburg, Naperville, Bolingbrook, Joliet, Plainfield, Barrington Hills, Waukegan, Winnetka, Evanston, DeKalb, Geneva, Batavia, Wheaton, Woodridge, Rockford, Harvey, Markham, Westchester, Cicero, Berwyn, Belvidere, West Chicago, Country Club Hills, Crestwood, Rolling Meadows, Romeoville, Chicago Heights, Tinley Park, Orland Park, Oak Forest, Homewood, Lansing, Calumet City, Hazel Crest, Dolton, Riverdale, Midlothian, Frankfurt, Oak Lawn, Oak Park, Cook County, DuPage County, Kane County, Will County, McHenry County, Lake County and more.