On April 7, 2014 a federal court held that FTC has the authority to bring unfair trade practice claims under the FTC Act for exposing consumers’ data to a security breach and need not issue formal regulations before.
In the last ten years the FTC has brought many actions against entities for failing to safeguard consumers’ personal data, often on the ground that inadequate data security is an “unfair or deceptive” act or practice “in or affecting commerce.” Generally the defendant entities settled. For the first time, a business (Wyndham Worldwide Corporation, an hotel chain) challenged the FTC’s authority and filed a motion to dismiss. The New Jersey District Court denied the motion and held that that agencies like the FTC need not formally issue regulations before bringing unfairness claims. To hold otherwise would mean that “[t]he FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.” Federal Trade Commission v. Wyndham Worldwide Corporation, U.S. District Court for the District of New Jersey, case no. 13-cv-1887.
More information available here