Wyndham Ruling Reinforces FTC's Role in Cybersecurity Regulation

In Federal Trade Commission v. Wyndham Worldwide Corporation, the United States Court of Appeals for the Third Circuit held that the Federal Trade Commission (FTC) has authority to regulate cybersecurity under 15 U.S.C. § 45(a), which governs “unfair or deceptive acts or practices in or affecting commerce.”

The case arose following disclosure of data breaches at Wyndham hotels in 2008 and 2009, in which hackers stole personal and financial information for hundreds of thousands of Wyndham guests, leading to over $10 million in fraudulent credit card charges. The district court denied Wyndham’s motion to dismiss an unfair-practices action brought by the FTC, and on interlocutory appeal the Third Circuit affirmed. Recognizing that the federal prohibition on “unfair” practices is a “flexible concept with evolving content,” the Court rejected Wyndham’s argument that its cybersecurity policies — at least as alleged by the FTC — could not be “unfair” as a matter of law. It noted: “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Court also rejected Wyndham’s claim that it did not have fair notice that its cybersecurity practices could subject it to liability under § 45, particularly in light of an FTC guidebook describing a checklist of practices that form a “sound data security plan,” as well as prior FTC notices of consent decrees in other cybersecurity cases. The decision highlights the FTC’s leading and evolving role as a regulator of cybersecurity practices.