Wyndham Decision Upholds FTC Authority to Regulate Data Security
Client Alert | 4 min read | 04.08.14
In a much-anticipated decision, the U.S. District Court for the District of New Jersey upheld the FTC's authority to regulate data security practices by denying Wyndham Worldwide Corporation's motion to dismiss challenging the FTC's authority to pursue unfair and deceptive trade practices claims arising from a cyber breach. The complaint against Wyndham asserts that Wyndham's data security policies constituted unfair and/or deceptive trade practices, prohibited by Section 5(a) of the FTC Act, codified here. This is only the second challenge to the FTC's data security regulatory authority under Section 5 in federal court. In the first, FTC v. Accusearch, the 10th Circuit supported the FTC's authority under Section 5 of the FTC Act.
Wyndham and its subsidiaries own and manage franchised Wyndham hotels throughout the United States. From 2008–2010, hackers, allegedly operating out of Russia, gained unauthorized access to Wyndham's computer network and to the property management systems of individual hotels, on three separate occasions. According to the complaint, the hackers accessed over half a million unique payment card accounts, along with their associated names and security codes. These account numbers were exported to a domain registered in Russia. Fraudulent charges on the compromised card accounts totaled over $10 million. The FTC filed its complaint on June 26, 2012, alleging that Wyndham's failure to enact reasonable data security policies constituted an unfair trade practice, and that its published online privacy policy was "deceptive."
Wyndham challenged the FTC's authority to regulate data practices under Section 5. First, Wyndham argued that the FTC lacked authority under the unfairness prong of Section 5(a) of the FTC Act to regulate data security practices. Wyndham argued that the existence of other data security regulations as well as the FTC's past statements disclaiming any authority over data security practices precluded the FTC's claims. Judge Salas disagreed, holding that "the FTC's unfairness authority over data security can coexist with the existing data-security regulatory scheme." Further, she noted that "even accepting that the FTC shifted its stance on data security, this cannot limit its authority without more."
Next, Wyndham argued that "it would violate basic principles of fair notice and due process" to allow the FTC to regulate data security practices under the unfairness prong without promulgating rules explaining how it intended to do so. The court disagreed, observing there is no requirement for the "FTC to formally publish a regulation before bringing an enforcement action under Section 5's unfairness prong."
Finally, Judge Salas ruled that the consumer injuries alleged in the complaint were both substantial and not reasonably avoidable. Notwithstanding the federal limit of $50 for consumer liability for unauthorized use of payment cards, the court found that the allegation of misuse of the hacked payment card data sufficed for the purposes of surviving a motion to dismiss. Similarly, the court found Wyndham's argument that consumers could potentially avoid injury by seeking remuneration from their card issuers required an analysis that was too fact-dependent to grant a motion to dismiss.
Concerning the FTC's deception claim, Wyndham argued that the FTC's complaint lacked merit because the Wyndham-branded hotels and the company, Wyndham Hotels and Resorts, LLC, are legally separate entities, and in any event, the company's privacy policy expressly disclaimed any representations as to the data security practices of the Wyndham-branded hotels. Judge Salas rejected the argument that Wyndham and Wyndham-branded hotels are separate entities for the purpose of the complaint. She also ruled that Wyndham's disclaimers did not effectively communicate its privacy policy to consumers.
This case essentially leaves undisturbed the FTC's authority under Section 5 to regulate data practices and investigate data breaches. The FTC has investigated multiple data security matters, and FTC Commissioners have underscored the high priority the Commission places on vigorous enforcement to protect consumers from data security breaches. In past cases, FTC enforcement has resulted in consent orders that call for improvements in privacy protection, oversight of privacy policies, privacy audits and fines that have been as high as $35 million.
Contacts
Insights
Client Alert | 3 min read | 10.15.25
On August 15, 2025, the Treasury Department and IRS released updated guidance concerning Beginning of Construction requirements to qualify for clean energy tax credits. This new guidance is critical for developers to consider as they rush to qualify for the tax credits before they expire entirely. The much-anticipated guidance followed the July 7, 2025 Executive Order 14315, Ending Market Distorting Subsidies for Unreliable, Foreign-Controlled Energy Sources (“July 7, 2025 Executive Order”), which signaled that the Trump Administration was planning to strictly enforce the termination of production and investment tax credits for solar and wind facilities that are set to expire under the One Big Beautiful Bill Act (OBBB Act), covered in more detail here. The new guidance comes at a time when many in the industry are struggling to keep up with the myriad ways that the new administration is working to roll back wind and solar tax credits, leaving developers to piece through the recent guidance to determine how best to structure and invest in clean energy projects given the volatile position of the current administration vis-a-vis wind and solar energy.
Client Alert | 10 min read | 10.15.25
Client Alert | 4 min read | 10.14.25
Client Alert | 35 min read | 10.13.25
Building Blocks of Design Law: CJEU rules on LEGO Group Modular Design Protection
