An opinion by the US District Court of New Jersey, filed April 7, 2104, denied the motion to dismiss of Wyndham Hotels and allowed the Federal Trade Commission (the FTC) to bring claims under the Federal Trade Commission Act in the data security context.

The FTC alleged Wyndham violated the prohibition in Sec 5(a) of Federal Trade Commission Act, 15 USC Sec 45(a), of “acts or practices in or affecting commerce that are unfair or deceptive.”

Specifically, the FTC alleged Wyndham violated both prongs of 5(a) by:

• failing to maintain reasonable and appropriate security for the personal information it collected and maintained
• by engaging in a number of practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.

This is not the final decision, only the decision by the court denying Wyndham’s motion to dismiss.  It is significant because it is the first opinion on FTC’s authority to bring security breach cases under Sec 5 of FTC Act by alleging unfair or deceptive acts. The case now proceeds with pretrial discovery.