Privacy Alert – Judge Backs FTC Authority in Data Breach Case Against Franchisor

April 10, 2014

On April 7, a federal judge denied the motion of Wyndham Hotels & Resorts, LLC (“Wyndham”) to dismiss a complaint brought by the Federal Trade Commission (“FTC”) for unfair or deceptive acts or practices based on alleged breaches of the property management system used by Wyndham and its franchisees. This was the first time a business has challenged the FTC’s enforcement authority in this area. The ruling affirms the FTC’S authority and allows the agency to move forward with a consideration of potential liability. We previously reported on this case in a Privacy Alert dated December 17, 2013.

The FTC action alleged that franchisor entity Wyndham Hotels & Resorts, along with its affiliates and franchisees, engaged in deceptive practices by misrepresenting that they used “industry standard practices” and “commercially reasonable efforts” to secure the data they collected from their guests, and in “unfair” practices by failing to protect customer data.

Wyndham moved to dismiss the complaint on the grounds that the FTC does not have the authority to assert an unfairness claim in the data security context, that the FTC must promulgate regulations before bringing an unfairness claim, and that the FTC did not sufficiently plead allegations to support its unfairness or deception claim, in part because the hotels operated by franchisees are separate entities for which Wyndham is not legally responsible. The court disagreed with each of Wyndham’s arguments.

Of particular interest to franchisors is the rejection of Wyndham’s contention that “as a matter of law, it [Wyndham] is necessarily a separate entity from Wyndham-branded hotels,” such that each maintain their own computer networks and engage in separate data collection practices. The court noted that the FTC alleged that Wyndham failed to provide reasonable security for the personal information collected by it and its franchisees, and determined that the allegation was sufficient to withstand a motion to dismiss.

The court was also not persuaded by Wyndham’s argument that its privacy policy expressly disclaimed responsibility for the security of customer data collected by its franchisees, and applied only “to the extent we control the Information.” Wyndham cited language in its privacy policy that “expressly disclaims making any representations about the security of payment-card data collected by the Wyndham-branded hotels.” The court however pointed out other language in the same Wyndham privacy policy that emphasized the “importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests” and stated that it “applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities.” The court found that a reasonable customer might have understood the policy to cover data security practices at both company-owned and franchised hotels to the extent Wyndham controls the information.

The court made clear that its opinion is not a determination on liability, and that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead the Court denies a motion to dismiss given the allegations in this complaint.” However, the opinion clearly supports further enforcement actions by the FTC in the data privacy and security areas. It also illustrates the difficulty franchisors may have in separating their liability for data security snafus from that of their franchisees, particularly when the franchisor exercises some control, and the franchisor and franchisees share a network or are otherwise susceptible to breaches of each other’s systems. In addition, this case serves as a reminder that businesses should carefully consider what they state in their website privacy policies relative to data security.

We will continue to monitor this case as it proceeds.

If you have any questions about this client alert, please contact Michael Cohen or Maisa Frank.

This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.