Wyndham and FTC Settle Data Breach Lawsuit: Implications

Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year.  (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.)  While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way of a fine or monetary damages and is not required to admit liability, but must submit to annual audits of its data security practices – the most important takeaway is that the Third Circuit’s decision will remain good law (at least in the Third Circuit) for the foreseeable future; that is, since the litigation is over, there will be no courtroom vehicle to challenge to this particular Third Circuit’s decision.  While the Third Circuit’s decision is not binding on other federal circuits, it is – as of now – the most authoritative ruling on the question of the FTC’s authority in data breach matters; future courts grappling with the same questions will almost certainly need to consider the Third Circuit’s decision.  How authoritative the Third Circuit’s decision will be, especially as other courts weigh in, remains to be seen.