March 27th, 2015

Wyndham and the Unfairness Jurisdiction

By: Ajitha Pichaipillai

Panel 5

I would like to write to few paragraphs regarding the Article, “An Era of Rapid Change: The Abdication of Cash & the FTC’s Unfairness Authority”, 14 PGH. J. Tech. L. & Pol’y 351. This Article discusses about the ‘unfairness’ jurisdiction of FTC in the data-privacy enforcement context. It provides a good summary of the Wyndham case, in which the Wyndham hotel group challenged the FTC’s authority to regulate data-security breaches.

Interestingly, Wyndham’s challenge of the FTC’s unfairness authority is three pronged: (i) the FTC lacks authority to pursue unfair practices related to data security, (ii) the unfairness actions related to data security require rulemaking, and (iii) the injury resulting from these payment card breaches is insufficient to support a claim. The second pronged argument on the requirement of rule making seems highly persuasive. Wyndham argues that any authority of FTC to regulate data security would require establishment through administrative rulemaking. It also suggests that the data security standards mandated by FTC, ex post, through selective enforcement actions and imposition of such standards on Wyndham could raise “serious constitutional questions of fair notice and due process”.

Even though, the motion to dismiss filed by Wyndham against the FTC’s compliant was dismissed by the district court, the questions certified by it for appeal may turn out to be determinative of FTC’s ‘unfairness jurisdiction’ in the data -security and data-privacy enforcement context. The questions, on which the Third Circuit is currently hearing the appeal, are: (i) Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and (2) Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

The oral arguments of the Wyndham’s appeal dated March, 3, 2015 (available at https://epic.org/amicus/ftc/wyndham/#interest), features interesting discussion on the origin and legislative reports of Section 45 (n) of the FTC Act and how far a negligent practice could be regarded as a ‘unfair practice’. Judges asks the FTC’s counsel to substantiate on the ‘adequacy of notice’ with respect to the standards purported to be imposed on Wyndham. The Judges also takes note of the FTC’s sparing use of its powers under Section 45(n) (according to the counsel, FTC’s has exercised its unfairness jurisdiction under Section 45 (n), in relation to data security breaches, only five times).

As EPIC notes, the decision of this appeal could have significant impact on FTC’s authority to regulate data security breaches and consumer’s privacy rights enforcement.