In a strongly worded opinion, the Third Circuit Court of Appeals on Monday slammed Wyndham Worldwide Corporation’s arguments that the FTC did not have jurisdiction to enforce the security practices of businesses following a data breach. The Court noted that it found most of Wyndham’s arguments “unpersuasive.” This is the first Circuit Court of Appeals case to opine on the FTC’s jurisdiction in data security matters.

Wyndham was the first company to challenge the FTC’s jurisdiction after it suffered a series of breaches between 2008 and 2010. LabMD took up the gauntlet thereafter and continues its battle against the FTC. The crux of the argument was that Wyndham was a victim of crime, and the FTC did not publish any regulations or guidance on data security in order for the companies to understand that the FTC could regulate their security practices and bring enforcement actions against them for lax security practices. The FTC has strongly disputed the allegations and has expanded its enforcement role over the security practices of companies following data breaches under Section 5 of the FTC Act, arguing that if a company tells consumers in its Privacy Policy that it will keep customers’ data secure, and then it doesn’t, such is an unfair or deceptive business practice that subjects it to FTC enforcement. The Court rebuffed Wyndham’s citing of a dictionary that its practice is only unfair if it is “not equitable” or is “marked by injustice, partiality, or deception” by stating “[A] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes unsuspecting customers to substantial financial injury, and retains the profits of their business.”

After the Court issued its opinion, FTC Chairwoman Edith Ramirez stated in a press release that the decision

reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.