Federal Trade Commission v. Wyndham Worldwide Corp.
2015 U.S. App. LEXIS 14839, 799 F.3d 236 (2015)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The Federal Trade Commission (FTC) has the authority under Section 5 of the FTC Act to regulate commercially unreasonable cybersecurity practices as 'unfair acts or practices.' A company's failure to maintain reasonable and appropriate data security measures, which causes or is likely to cause substantial consumer injury, falls within the purview of this statutory authority.
Facts:
- Wyndham Worldwide Corporation, a hospitality company, operated a computer network that processed and stored personal and financial data for customers of its branded hotels.
- Wyndham allegedly engaged in a number of deficient cybersecurity practices, including storing payment card information in clear readable text, allowing easily guessable default passwords for system access, and failing to use firewalls or other standard security measures.
- The company published a privacy policy on its website stating it used 'industry standard practices' and 'commercially reasonable efforts,' including firewalls and encryption, to safeguard customer information.
- In April 2008, hackers breached Wyndham's network and stole data from over 500,000 consumer accounts.
- In March 2009, a second data breach occurred, compromising the payment card information of approximately 50,000 consumers.
- In late 2009, a third breach occurred, resulting in the theft of payment card information for an additional 69,000 customers.
- In total, the breaches compromised data from over 619,000 consumers and led to more than $10.6 million in fraudulent charges.
Procedural Posture:
- The Federal Trade Commission (FTC) filed a lawsuit against Wyndham Worldwide Corporation in the U.S. District Court for the District of Arizona, alleging unfair and deceptive practices.
- On Wyndham's motion, the case was transferred to the U.S. District Court for the District of New Jersey.
- Wyndham filed a motion to dismiss the complaint for failure to state a claim, arguing the FTC lacked authority to regulate cybersecurity and had failed to provide fair notice.
- The District Court denied Wyndham's motion to dismiss.
- The District Court certified its ruling on the unfairness claim for interlocutory appeal.
- The U.S. Court of Appeals for the Third Circuit granted Wyndham's petition to hear the appeal.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does the Federal Trade Commission have the authority under the 'unfairness' prong of Section 5 of the FTC Act to bring an enforcement action against a company for allegedly deficient cybersecurity practices, and does the statute provide constitutionally sufficient fair notice of what conduct is prohibited?
Opinions:
Majority - Ambro, Circuit Judge
Yes, the FTC has the authority to regulate inadequate cybersecurity as an unfair practice under Section 5 of the FTC Act, and the statute provides sufficient fair notice. The court reasoned that the history and text of the FTC Act demonstrate Congress's intent for the term 'unfair' to be a flexible concept adaptable to changing business practices. The statutory test for unfairness, codified in 15 U.S.C. § 45(n), focuses on whether a practice causes substantial, unavoidable consumer injury not outweighed by countervailing benefits, a standard that can encompass deficient cybersecurity. The court rejected Wyndham's argument that being the victim of a criminal hack absolves it of liability, noting that liability can attach for foreseeable harms facilitated by a party's own conduct. Regarding fair notice, the court held that Wyndham was only entitled to notice of the statute's meaning, not a more specific agency interpretation, because Wyndham itself argued the court should interpret the statute in the first instance. The cost-benefit analysis required by § 45(n) is not unconstitutionally vague, and Wyndham's alleged conduct was so deficient, especially in light of the repeated security breaches, that it was on notice that its practices could be deemed unfair under the statute.
Analysis:
This landmark decision solidified the FTC's role as the primary de facto regulator of data security in the United States. It confirms the agency's authority to use its broad 'unfairness' jurisdiction to police companies with inadequate cybersecurity, even without specific, pre-existing regulations detailing every required security measure. The ruling established that a company's data security practices are judged by a standard of commercial reasonableness, effectively creating a common-law-like duty for businesses to protect consumer data. This precedent has empowered the FTC to continue its enforcement-heavy approach to data security and has significantly influenced corporate data protection policies nationwide.
