David J. Bender · September 2013
81 GEO. WASH. L. REV. 1665 (2013)
For the first time in more than a decade of data-security enforcement actions under section 5 of the Federal Trade Commission Act, a corporation has decided to litigate the nature and extent of the Federal Trade Commission’s (“FTC”) authority over corporate data-security practices. Instead of agreeing to a consent decree, as most previous enforcement targets have done, Wyndham Hotel Group, LLC is challenging the very notion that the FTC may lawfully mandate specific corporate data-security practices as unfair under section 5. The Wyndham case therefore represents the first opportunity for judicial review of the extent of the FTC’s authority in this area, and the outcome will likely have far-reaching consequences in an area of law that is largely devoid of legislative direction.
This Essay argues that the court should rule in favor of the FTC in the Wyndham litigation. Such a ruling would be consistent with Supreme Court precedents establishing that administrative agencies generally have broad discretion to choose between rulemaking and adjudication. In addition, a court ruling in favor of the FTC would be more likely to mobilize business interests behind legislation to specifically delineate the Agency’s authority in this increasingly important area. This in turn would encourage Congress to finally heed the repeated calls of both the White House and the FTC to pass data-security legislation that would increase certainty for consumers and businesses alike.