FTC v. Wyndham Worldwide Corporation

On August 24, 2015, the United States Court of Appeals for the Third Circuit handed down its decision in favor of the Federal Trade Commission (FTC) against Wyndham Worldwide Corporation.  This lawsuit was against the defendant and its subsidiaries for their failure to implement proper cybersecurity measures and protect consumers’ personal information against hackers.  The FTC alleged that defendants did not use encryption, firewalls, and other commercially reasonable methods for protecting personal information.

What was the basis of the lawsuit?

In general, the FTC has the responsibility to protect consumers against unfair and deceptive business practices. These illegal practices could range from false advertising to antitrust issues. The FTC has started to prosecute companies with inadequate cybersecurity to protect consumer data. The companies that made false statements about their level of security in their terms of service also had lawsuits filed against them.  In this case, between 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s network and computer systems three separate times. One incident occurred in 2008 and two occurred in 2009.   The hackers were allegedly able to breach the network due to the use of weak and obvious passwords, lack of response to the first incident, and inadequate monitoring systems.  In one of the instances, it took approximately two months for Wyndham Worldwide Corporation to discover its systems had been accessed without authorization. The hackers successfully accessed personal information of approximately 619,000 consumers and managed to cause $10.6 million in fraudulent charges. Therefore, on June 26, 2012, the FTC brought the lawsuit against defendants.  Their motion to dismiss was denied by the district court and their appeal was heard on two issues in order to determine whether there was a valid claim.  The issues that were raised included: (1) whether the FTC had authority to regulate cybersecurity under 15 U.S.C. § 45; and (2) if so, whether defendants received fair notice that their cybersecurity practices were inadequate under the guidelines.

What is the effect of the ruling?

The appellate court affirmed the district court’s ruling against the motion to dismiss for lack of standing and allowed the FTC to continue with its lawsuit.  So, in essence, this ruling affirmed the FTC’s authority to bring lawsuits against companies for their lack of cybersecurity measures under 15 U.S.C. § 45(a) and (n).  The appellate court then determined that defendants could not claim that they lacked fair notice because they were making that claim under the understanding that they needed ascertainable certainty of FTC’s cybersecurity standards. For civil cases, the standard of notice does not need to be as high as in a criminal case and defendants had notice that they needed cybersecurity measures in place, especially after the initial security breach.  In recent years, the FTC has continuously filed lawsuits against companies that have not protected their customers’ privacy.  In order to protect a business from such lawsuits, it is important for companies to implement proper security measures, protect private information, and to not misrepresent the extent of their security measures provided towards consumers.

At our law firm, we assist clients with legal issues related to technology, privacy, and cyber-related activities. You may contact us to set up an initial consultation.