American Bar Association
Media Alerts
Media Alerts - FTC v. Wyndham Worldwide Corp. - Third Circuit
Decrease font size
Increase font size
August 28, 2015
  FTC v. Wyndham Worldwide Corp. - Third Circuit
Headline: Third Circuit Rules That FTC Can Penalize Weak Cybersecurity at Wyndham Hotels

Area of Law: Cyber Law, Administrative Law

Issues Presented: Does the FTC have authority to regulate cybersecurity under the unfairness prong of § 45(a) and, if so, did Wyndham have fair notice its cybersecurity practices could fall short of that provision?

Brief Summary: The Fair Trade Commission ("FTC") brought suit against Wyndham Worldwide Corporation, a hotel and hospitality company, after three cyberattacks released Wyndham's customers' private data to hackers. At trail, Wyndham argued that the FTC did not have the authority to regulate cybersecurity as an "unfair practice" and that the FTC did not give Wyndham fair notice that its cybersecurity fell short of FTC requirements. When the District Court ruled against Wyndham on these issues, it appealed to the Third Circuit Court of Appeals. The Third Circuit ruled that cybersecurity breaches could constitute "unfair practices" as defined by the statute because they can cause substantial injury to customers. The Court also found that Wyndham did have fair notice that inadequate cybersecurity could constitute unfair practices because the law defines unfair practices as those which can cause substantial injury to consumers. Bad cybersecurity procedures certainly qualify. Moreover, Wyndham had notice that its particular cybersecurity systems could be problematic because they lacked even basic protections, such as firewalls, encryption and strong passwords.

Extended Summary: Wyndham Worldwide is a hotel and hospitality company. Every hotel in the Wyndham system has a property management system that holds customers' names, addresses, telephone numbers, credit card data, and other sensitive information. The hotels all connect their individual property management systems to Wyndham's centralized computer network in Phoenix, Arizona. Because Wyndham did not have effective cybersecurity protection, the Wyndham network was hacked on three separate occasions in 2008 and 2009. The hackers were able to retrieve the private data of over 600,000 Wyndham customers, resulting in $10.6 million lost to fraud. The Federal Trade Commission ("FTC") found that Wyndham had numerous cybersecurity practices which resulted in these breaches. The FTC also alleged that even after the hacks, Wyndham failed to take reasonable measures to improve its cybersecurity. The FTC filed a claim against Wyndham claiming it engaged in unfair and deceptive practices in violation of § 45(a) of the Federal Trade Commission Act (the "Act"). Wyndham filed a motion to dismiss but was denied by the District Court, which then certified the decision on the unfairness claim for interlocutory appeal.

In 1994, Congress amended the Act to clarify the meaning of the term unfair act or practice. According to that amendment, an act is not unlawful unless it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." But Wyndham argued that the Act imposed additional limitations on FTC action, including a requirement that the conduct complained of be "unfair" according to that word's ordinary meaning. Assuming, for purposes of argument, that this was true, the Court found that the requirement of unfairness was more than satisfied in this case because Wyndham advertised to its customers that it had installed strong cybersecurity measures in all of its computer networks - something which it had not, in fact, actually done. Wyndham also argued that it should not be held accountable because it was attacked by criminals, the hackers. The Court, however, was not persuaded by this argument considering that Wyndham made no attempt to fix their cybersecurity problems after the first and second attacks.

Wyndham also argued the FTC had failed to give it fair notice as to exactly what kind of practices were actionable. Wyndham insisted that it was entitled to ascertainable certainty as to the actual type of cybersecurity required by the Act. The Court disagreed. It determined that fair notice was satisfied if the company could reasonably foresee that a court could construe its conduct as falling within the meaning of the statute. And in this case, it was clear that Wyndham's cybersecurity was not acceptable. It didn't just have weak firewalls and weak encryption - in many cases, it had no firewalls and no encryption at all. It didn't even require its clients to change passwords. The Court relied on cost/benefit analysis to show that Wyndham could have easily made small changes that would have prevented attacks and fallen within its duties to its customers under the Act. For these reasons, the Third Circuit affirmed the decision of the District Court.
To read the full opinion, please visit http://www2.ca3.uscourts.gov/opinarch/143514p.pdf

Panel (if known): Ambro, Scirica, and Roth, Circuit Judges

Argument Date: March 3, 2015

Date of Issued Opinion: August 24, 2015

Docket Number: No. 14-3514

Decided: Affirmed

Case Alert Author: Shanna Lafferty

Counsel: Kenneth W. Allen, Esq., Eugene F. Assaf, Esq., Christopher Landau, Esq., Susan M. Davies, Esq., Michael W. McConnell, Esq., David T. Cohen, Esq., Douglas H. Meal, Esq., Jennifer A. Hradil, Esq., Justin T. Quinn, Esq., Counsel for Appellants, Jonathan E. Nuechterlein, Esq., David C. Shonka, Esq., Joel R. Marcus, Esq., David L. Sieradazki, Esq., Counsel for Appellee, Sean M. Marotta, Esq., Catherine E. Stetson, Esq., Harriet P. Pearson, Esq., Bret S. Cohen, Esq., Adam A. Cooke, Esq., Kate Comerford Todd, Esq., Steven P.Lehotsky, Esq., Sheldon Gilbert, Esq., Banks Brown, Esq., Karen R. Harned, Esq., Counsel for Amicus Appellants Chamber of Commerce of the U.S.A.; American Hotel & Lodging Association; National Federation of Independent Business, Cory L. Andrews, Esq., Richard A. Samp, Esq., John F. Cooney, Esq., Jeffrey D. Knowles, Esq., Mitchell Y. Mirviss, Esq., Leonard L. Gordon, Esq., Randall K. Miller, Esq., Counsel for Amicus Appellant Electronic Transactions Association; Washington Legal Foundation, Scott M. Michelman, Esq., Jehan A. Patterson, Esq., Counsel for Amicus Appelees Public Citizens Inc; Consumer Action; Center for Digital Democracy, Marc Rotenberg, Esq., Alan Butler, Esq., Julia Horwitz, Esq., John Tran, Esq., Catherine N. Crump, Esq., Chris Jay Hoofnagle, Esq., Justin Brookman, Esq., G.S. Hans, Esq., Lee Tien, Esq., Counsel for Amicus Appellees Electronic Privacy Information Center; American Civil Liberties Union; Samuelson Law; Technology & Public Policy Clinic; Center for Democracy & Technology; Electronic Frontier Foundation

Author of Opinion: Judge Ambro

Circuit: Third Circuit

Case Alert Supervisor: Prof. Mark Anderson

    Posted By: Susan DeJarnatt @ 08/28/2015 08:40 AM     3rd Circuit  

FuseTalk Enterprise Edition - © 1999-2018 FuseTalk Inc. All rights reserved.

Discussion Board Usage Agreement

Back to Top