Wyndham hotels failed to persuade a Judge to dismiss the 2012 suit filed by the FTC “for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years…that led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.” On April 7, 2014 US District Judge Esther Salas (District of New Jersey) denied Wyndham Hotels and Resorts’ motion to dismiss on these 3 issues:
First, Hotels and Resorts challenges the FTC’s authority to assert an unfairness claim in the data-security context. Citing recent data-security legislation and the FTC’s public statements, Hotels and Resorts likens this action to FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000). It declares that, under Brown & Williamson, the FTC does not have the authority to bring an unfairness claim involving data security.
Second, Hotels and Resorts asserts that the FTC must formally promulgate regulations before bringing its unfairness claim. It contends that, without promulgating such regulations, the FTC violates fair notice principles.
Third, Hotels and Resorts argues that the FTC’s allegations are pleaded insufficiently to support either an unfairness or deception claim. Hotels and Resorts asserts that the FTC fails to plead certain elements of each of these claims and fails to otherwise satisfy federal pleading requirements.
Computerworld reported that:
Several trade groups and the U.S. Chamber of Commerce also question the agency’s authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act. They accused the agency of trying to hold companies to security standards not included in FTC guidelines.
Given the high visibility of the privacy concerns in the hotel industry this will be an important case to follow.