Lexis Nexis - Case Brief

Not a Lexis Advance subscriber? Try it out for free.

Law School Case Brief

FTC v. Wyndham Worldwide Corp. - 799 F.3d 236 (3d Cir. 2015)


The relevant legal rule is not so vague as to be no rule or standard at all. 15 U.S.C.S. § 45(n) asks whether the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis, that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute. 


The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce." In 2005, the Federal Trade Commission (FTC) began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases ended in settlement. On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation's (Wyndham) computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal district court against Wyndham, alleging that Wyndham engaged in unfair cybersecurity practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." The FTC further alleged that Wyndham's privacy policy was deceptive. Wyndham filed a motion to dismiss, arguing that the FTC had no authority to regulate cybersecurity. The district court denied Wyndham's motion.


Did the court properly deny the motion to dismiss?




The federal appellate court held that the three requirements in 15 U.S.C.S. § 45(n) may be necessary rather than sufficient conditions of an unfair practice, but it was not persuaded that any other requirements proposed by Wyndham posed a serious challenge to the FTC's claim. Wyndham repeatedly argued there was no FTC interpretation of § 45(a) or (n) to which the federal courts must defer, and, as a result, the courts had to interpret the meaning of the statute as it applied to the Wyndham's conduct in the first instance. Thus, Wyndham could not argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform. The court held that Wyndham could only claim that it lacked fair notice of the meaning of the statute itself, which was a theory that it did not meaningfully raise and was unpersuasive.

Access the full text case Not a Lexis Advance subscriber? Try it out for free.
Be Sure You're Prepared for Class