Wyndham Secures Interlocutory Appeal Challenging The FTC’s Authority To Regulate Cybersecurity Practices

As part of our ongoing effort to advise clients on significant developments in cybersecurity that are likely to impact their businesses, we have been actively reporting on the case of in FTC v. Wyndham Worldwide Corporation, et al., pending before U.S. District Judge Esther Salas in New Jersey. In April of this year we issued a client alert discussing the much anticipated April 7, 2014, decision by Judge Salas, which rejected a direct challenge to the Federal Trade Commission's ("FTC") authority to police corporate cybersecurity practices.

In a surprising development, on June 23, 2014, Judge Salas issued a Memorandum Opinion and Order granting Wyndham's motion seeking immediate appellate review of the April 7 decision—without holding oral argument. Judge Salas' reasons for supporting Wyndham's request to file an appeal are instructive and suggest the FTC's authority to act as the nation's chief cybersecurity enforcement agency is far from resolved. Following a careful analysis, the Court acknowledged that if its interpretation the FTC's authority was incorrect, it would represent reversible error on appeal, requiring a grant of Wyndham's motion to dismiss. ..."

The FTC had sued Wyndham in New Jersey based, in part, on the belief the FTC possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits "unfair and deceptive acts or practices." Moving to dismiss the action, Wyndham argued Congress, not the FTC, is the proper body to regulate cybersecurity and the FTC had failed to publish rules or regulations providing companies with fair notice of what protections are expected or acceptable.

In what was seen as a complete victory for the FTC, Judge Salas rejected Wyndham's narrow interpretation of the FTC's Section 5 powers. The Court concluded that Congress had vested the FTC with broad discretionary authority under Section 5 to "define unfair practices on a flexible, incremental basis." With regard to issue of fair notice, the Court concluded the FTC was not required to formally publish regulations on cybersecurity before bringing an enforcement action. Judge Salas noted that "courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency."

To many, what was striking about Judge Salas' April 7 decision was the...