The franchise, the FTC, deception, and data protection
On Monday of this week the United States Court of Appeals for the Third Circuit issued a precedential opinion in a case brought by the Federal Trade Commission against the franchisor of Wyndham hotels. The Court ruled that, for now, the FTC has stated valid unfair and deceptive claims against Wyndham for failing to protect customer data and information arising from three breaches occurring in 2008 and 2009.
Of particular note, for the most part, the information was not originally collected by Wyndham itself, but by its franchisees using Wyndham’s required technology. Wyndham thereafter managed and stored the information in its data center. Wyndham’s website described its data security policies.
The FTC sued alleging that Wyndham was engaged in unfair and deceptive trade practices, injuring consumers when Wyndham (i) failed to use proper safety procedures to protect the data and (ii) had a website which overstated the protective measures used to protect data.
Wyndham moved to dismiss the suit asserting that the wrongs were created by its franchisees, and asserting that its actions were neither unfair nor deceptive. The trial court allowed the case to proceed against Wyndham, in part, because Wyndham required the data and information to be gathered and processed using its mandated technologies and that thereafter, Wyndham was in charge of the data and information. With respect to deception, the Court ruled that Wyndham’s actions could be unfair or deceptive and allowed the case to proceed. Wyndham appealed the second prong of the ruling. The appellate court agreed with the trial court that it is possible that Wyndham’s conduct could be considered unfair or deceptive. The case will now proceed.
There are a few clear takeaways from this case. First, there is an increasing use by both regulatory agencies and private parties of “drag-net” type claims – claims of the “I know it when I see it” variety. It is often difficult to resolve these claims on an expedited or in a summary fashion via dismissal or summary judgment. Therefore, the direct and indirect costs associated with the claims are exponentially greater than a traditional claim. Second, it’s important for management to recognize that liability may arise from a failure to recognize the need to have some sort of process or procedure – that is, failing to have even a basic understanding or risk and attempting to deal with the risk. Third, a parent entity, franchisor, or some other party may inadvertently or unknowingly be subjecting themselves to risk. Proper risk analysis is important to your business. Finally, data and its risks are manageable. It is critical from business to engage in the management process before any issue arises.