In a victory for the Federal Trade Commission, a federal judge declined to dismiss the agency's data security case against Wydham Worldwide Hotels, allowing it to move forward.
The case, in the U.S. District Court in New Jersey, is being closely watched as a test for how much authority the FTC has in bringing cases against companies the agency deems have inadequate data security standards.
So far, the agency has brought more than 50 data security cases under its unfair and deceptive authority even as it advocates that Congress pass legislation giving the agency more authority to set data security standards.
In January 2012, the FTC filed suit against Wyndham, alleging that its faulty data security practices that allowed hackers to break into the hotel's computer system were an "unfair" trade practice resulting in fraudulent charges on consumers' accounts totaling $10.6 million.
Wyndham challenged the FTC's claim, arguing that not only is it the victim, but that the FTC lacks legal authority to regulate data security standards for companies.
Backing up the FTC, Judge Esther Salas wrote in a 42-page decision that the FTC's complaint "sufficiently pleaded an unfairness claim under the FTC Act and satisfies Federal Rule of Civil Procedure."
An ultimate win for Wyndham would tie the hands of the FTC, which has brought a number of data security and data breach cases, including LabMD (which is also suing the FTC) and most recently Fandango and Credit Karma. The agency is also reportedly investigating the most recent Target data breach that impacted 110 million consumers.
"I'm pleased that the court has recognized the FTC's authority to hold companies accountable for safeguarding consumer data, and we look forward to trying this case on the merits," said FTC chairwoman Edith Ramirez. "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers."
The decision is not all bad news for Wyndham as the case goes forward. "This decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked," wrote Judge Salas wrote.
Wyndham is sticking to its position that the FTC overstepped its authority. "It is important to note that the court made no decision on liability today. We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," the company said in a statement.
TechFreedom, a technology think tank that filed an amicus brief in the case, said that the court missed the point in the Wyndham case. "The court dodged the hard question: does the FTC's body of roughly 50 unadjudicated settlements and a skimpy 'guidance brochure' provide adequate notice? Given that so few companies will challenge the FTC in court, does the FTC have too much discretion?" said Berin Szoka, TechFreedom's president. "We believe the FTC must do more to explain its analysis of both unfairness and deception, that, in most cases, it could do so without great difficulty, but that in hard cases, the future direction of the law must ultimately be up to the courts, not the three unelected FTC bureaucrats."