We are on “Wyndham Watch” here at Arnold & Porter – along with businesses throughout the country worried about the regulation of data security – pending a ruling in the global hospitality company's challenge to the Federal Trade Commission’s authority “to set data-security standards for any American business operating in any industry.” Wyndham raised this challenge in a motion to dismiss the FTC’s claims that Wyndham and its three subsidiaries engaged in “unfair and deceptive acts or practices” and thereby violated Section 5 of the Federal Trade Commission Act, by leaving their computer information systems vulnerable to hackers three times between 2008 and 2009. According to the Commission, Wyndham misrepresented the data security measures the company had implemented and failed to protect consumers’ personal information, rendering consumers’ accounts victim to more than $10 million in fraudulent charges.
The federal district court that is hearing the case has yet to rule on Wyndham’s motion to dismiss, filed almost six months ago, but last week the court granted the government a small victory. Wyndam had sought a stay of discovery pending the court’s ruling on its motion to dismiss, arguing that further proceedings would be wasteful in the interim. The court disagreed in its ruling last week: Wyndham must exchange pre-trial evidence with the FTC while the court continues to consider Wyndham’s motion.
Wyndham’s challenge to the FTC’s asserted authority is the first of its kind and the court’s ruling on this issue will have consequences nationwide. Dismissal of the Wyndham case would send a strong message to the Commission that its authority to use Section 5 to establish data protection standards is strictly limited. Given the lack of other sources of federal regulation in the area that are broadly applicable to more than certain sectors, the FTC’s use of Section 5 as a data protection “weapon” has been perhaps the most powerful “regulatory” force in the data privacy and security area for many businesses. Curbing that force would have widespread significance, potentially beyond the area of personal data protection, for the Commission’s actions under Section 5.
Although there is no basis for a firm prediction that the court’s denial of Wyndham’s request for a stay indicates how the court will rule on the company’s motion to dismiss, the ruling last week certainly raises the question: “why would the court refuse to stay the proceedings knowing that it planned to grant the motion to dismiss -- why subject the parties to additional costs of litigation if the litigation has an end in sight?” There are two more likely scenarios: either (1) the court, after six months, still has not found one argument more persuasive than the other; or (2) the court plans to issue a ruling allowing the FTC to continue its current data security enforcement efforts under Section 5. If the former, we may be on “Wyndham Watch” for the foreseeable future. If the latter, we can expect the FTC to continue with renewed confidence to employ Section 5 as an aggressive tool to advance the Commission’s agenda with respect to regulation of data security.