Not a Lexis Advance subscriber? Try it out for free.

FTC v. Wyndham Worldwide Corp.

United States Court of Appeals for the Third Circuit

March 3, 2015, Argued; August 24, 2015, Opinion Filed

No. 14-3514

Opinion

 [*240]  OPINION OF THE COURT

AMBRO, Circuit Judge

The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.

On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation's computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham's conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham's motion to dismiss, and [**4]  we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.

I. Background

A. Wyndham's Cybersecurity

Wyndham Worldwide is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries.2 Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndham-branded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham "manage[s]" these systems and requires the hotels to "purchase and configure" them to its own specifications. Compl. at ¶ 15, 17. It also operates a computer network in Phoenix, Arizona, that connects its data center with the property [**5]  management systems of each of the Wyndham-branded hotels.

The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." Id. at ¶ 24. This claim is fleshed out as follows.

Read The Full CaseNot a Lexis Advance subscriber? Try it out for free.

Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.

799 F.3d 236 *; 2015 U.S. App. LEXIS 14839 **; 2015-2 Trade Cas. (CCH) P79,269

FEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation WYNDHAM HOTEL GROUP, LLC, a Delaware limited liability company; WYNDHAM HOTELS AND RESORTS, LLC, a Delaware limited liability company; WYNDHAM HOTEL MANAGEMENT INCORPORATED, a Delaware Corporation, Wyndham Hotels and Resorts, LLC, Appellant

Prior History:  [**1] On Appeal from the United States District Court for the District of New Jersey. (D.C. Civil Action No. 2-13-cv-01887). District Judge: Honorable Esther Salas.

FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 2014 U.S. Dist. LEXIS 47622 (D.N.J., 2014)

Disposition:  Judgment affirmed.

CORE TERMS

unfair, consumers, cybersecurity, practices, network, fair notice, regulations, hotels, deference, hackers, notice, deceptive, privacy, allegations, property management, complaints, passwords, policy statement, courts, connect, meaning of the statute, unfair practice, first instance, ascertainable, customers, firewall, attacks, cases, agency's interpretation, personal information

Civil Procedure, Appeals, Standards of Review, De Novo Review, Defenses, Demurrers & Objections, Motions to Dismiss, Failure to State Claim, Banking Law, Federal Acts, Federal Trade Commission Act, Unfair Competition & Practices, Scope & Enforcement, Constitutional Law, Fundamental Rights, Procedural Due Process, Scope of Protection, Administrative Law, Judicial Review, Deference to Agency Statutory Interpretation, Constitutional Right, Governments, Legislation, Interpretation