Privacy and data security experts are closely watching a case that for the first time challenges the Federal Trade Commission's (FTC) authority to sue companies on behalf of consumers for cybersecurity breaches and lax or misleading data security policies.

In Federal Trade Commission v. Wyndham Worldwide Corporation, the FTC alleges that Wyndham and its hotel subsidiaries violated Section 5 of the FTC Act, which forbids “unfair or deceptive” practices by not maintaining “reasonable and appropriate” data security protections.

The broad authority to protect consumers from data breaches has been the basis of 41 previous investigations of such companies as Google Inc., Twitter Inc. and HTC Corp., resulting in out-of-court settlements and consent decrees. Wyndham is the first company to fight back in court, arguing Congress never granted the FTC cybersecurity oversight and the lawsuit therefore exceeds the FTC's enforcement authority.