May the Federal Trade Commission (“FTC”) enforce a franchisor’s obligation to the customers of its franchisee to prevent cyber-theft of those customers’ credit card information? The recently-filed lawsuit entitled FTC v Wyndham Worldwide Corp., Federal District Court, District of New Jersey (Civ. Action No. 13-cv-1887) (ES)(SCM) may answer that question.
The reason this is an issue is that in April of 2008 and later in 2009, hackers were able to penetrate the Wyndham’s computer systems and obtain massive credit card data that should have been confidential.
Wyndham has defended on a number of bases. One such basis is that the FTC does not have jurisdiction to bring suit. In fact, Congress did not specifically authorize the FTC to bring a lawsuit for a private company’s data breach. However, the FTC has taken the position that it is not doing so. Instead, it is bringing a suit for deceptive practices that led customers to believe reasonable precautions were being taken to prevent a data breach.
As of this posting, the case is at an incipient stage. Time will tell whether or not Wyndham’s jurisdictional argument will be successful.