This might be a good time to follow up on my previous coverage of the FTC complaint against Wyndham, and Wyndham’s motion to dismiss. As I noted previously, this is the first time that the FTC has faced an actual legal challenge to its authority to bring an action over data security.
Since my last update on the case, the Chamber of Commerce of the United States of America, the Retail Litigation Center, and the American Hotel & Lodging Association have submitted a joint amicus brief in support of Wyndham’s motion to dismiss. The International Franchise Association also filed its own amicus brief in support of Wyndham. The gist of their argument seems to mimic Wyndham’s MTD argument that the FTC has exceeded its authority and is trying to accomplish via application of the “unfairness” doctrine what it has not been authorized to do via rulemaking. As amici argue, in part, “An attack that primarily victimizes the business itself cannot be considered “unfair” to consumers.” Why not? The two are not mutually exclusive: a business can become a victim – due to inadequate data security policies and practices – and be “unfair” to consumers who relied on them to maintain adequate data security.
For its part, the FTC filed a response to Wyndham’s motion to dismiss the suit against the affiliates, and a separate response to Wyndham’s motion to dismiss against WHR. It is the latter response that I was most interested to read, as in that response, they address Wyndham’s allegations that the FTC does not have the authority to enforce data security and that the FTC exceeded what Congress permitted.
In its response, the FTC argues, in part:
Wyndham’s criticism that data security is not enumerated in the “plain text of Section 5” (Wyndham Mot. 6) simply states the obvious: Section 5 does not identify specific acts or practices. Indeed, the statute also does not mention any of the established uses of its unfairness provision, including unsafe farm equipment (see In the Matter of Int’l Harvester Company, 104 F.T.C. 949 (1984)); online check drafting and delivery (see Neovi, 604 F.3d 1150); business opportunity scams (see FTC v. Stefanchik, 559 F.3d 924 (9th Cir. 2010)); weight-loss products (see FTC v. Garvey, 383 F.3d 891 (9th Cir. 2004)); telephone billing processors (FTC v. Inc21.com Corp., 2012 WL 1065543, No. 11-15330 (9th Cir. March 30, 2012)); or many other practices affecting commerce, all of which courts routinely find to be subject to Section 5 of the FTC Act. Congress clearly intended the FTC Act to give the FTC the broad enforcement authority that Wyndham asks the Court to read out of the statute.
There’s much more, of course, but I’m happy to let the lawyers weigh in on the merits of the arguments.
Politically, I can see where this case will result in even more lobbying efforts in Congress to not give the FTC greater authority. But that may be precisely why it’s needed.