Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

Timur Arbaev ©

Alert: Third Circuit Affirms FTC’s Authority to Regulate Companies’ Data Security

On Monday, August 24, 2015, the Third Circuit upheld the U.S. District Court’s opinion that the Federal Trade Commission (FTC) has the authority to regulate companies’ data security. Under the unfairness prong of Section 5 of the FTC Act, the agency may bring lawsuits against companies with arguably negligent data security practices, without a duty to publish regulations defining exactly what it considers “reasonable” security measures.

Between April, 2008 and January, 2010, Wyndham Worldwide Corp’s alleged data breaches subjected over 600,000 consumer credit card numbers to over $10.6 million in losses. Subsequently, in 2012 the FTC filed a complaint against Wyndham, alleging it had violated Section 5 in neglecting to maintain reasonable security measures. Most prior FTC enforcement actions resulted in settlements. However, instead of a settling, Wyndham contested the action, arguing that the federal agency was overreaching, and did not have the authority to regulate private companies’ data security practices.

The Third Circuit’s ruling is highly significant, in that, it empowers the government to hold companies accountable for failing to safeguard consumer data. 

To read the Appellate Court's opinion, click here

This article is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.