The United States Federal Trade Commission (FTC) received a significant victory in the United States District Court for the District of New Jersey in its pending case against Wyndham Worldwide Corp. The FTC filed an action against Wyndham based on a series of data breaches from 2008 through 2010 under Section 5(a) of the FTC Act claiming the failure was an unfair or deceptive trade practice based upon various theories including that Wyndham’s privacy policy stated they implement reasonable protective measures.

The court made the following two significant holdings in ruling in favor of the FTC:

  1. Section5 of the FTC Act allows the FTC to regulation data security
  2. The FTC does not need to issue specific regulations and the FTC Act is flexible enough to allow the FTC to bring enforcement actions

What does this mean for business?

If a businesses terms of service or privacy policy states that the company takes reasonable protective measures, the company should in fact take reason able protective measures. If not, the company may receive a visit from the FTC.