Man in violation of privacy law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Antitrust Law Daily, August 24, 2015

FTC may proceed with unfairness, deception claims against Wyndham’s data security practices

By Greg Hammond, J.D.

Wyndham Hotels and Resorts, LLC could not overturn an order denying its motion to dismiss FTC unfair or deceptive acts claims, arising from Wyndham’s alleged failure to protect consumer information. The U.S. Court of Appeals in Philadelphia affirmed the lower court’s order denying dismissal, finding that the FTC has authority to regulate cybersecurity under the FTC Act and Wyndham had fair notice that its specific data security practices could fall short of § 45(a) of the FTC Act (FTC v. Wyndham Worldwide Corp., August 24, 2015, Ambro, T.).

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez, in response to the ruling. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC had brought suit, alleging that Wyndham and its subsidiaries violated the deceptive and unfair prongs of Section 5(a) of the FTC Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. Hackers allegedly gained access on three separate occasions to Wyndham’s computer network, obtaining payment card information from over 619,000 customers and resulting in at least $10.6 million in fraud loss. The federal district court in Newark denied Wyndham’s motion to dismiss in April, and granted interlocutory appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and (2) whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.

FTC Act authority. Wyndham first argued that the three requirements of 15 U.S.C. § 45(a) are necessary but insufficient conditions of an unfair practice and that the plain meaning of “unfair” imposes independent requirements that are not met here. The court, however, determined that Wyndham’s arguments were unpersuasive or were already satisfied by the allegations in the FTC’s complaint.

Specifically, Wyndham argued that the plain meaning of unfairness applies and that a practice is only “unfair” if it is “not equitable” or is “marked by injustice, partiality, or deception.” This argument made little difference in this case, the court found, because a company—like Wyndham in the instant action—does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, but fails to make good on that promise by investing in inadequate cybersecurity resources, exposing its unsuspecting customers to substantial financial injury, and retaining the profits of their business.

The court also dismissed Wyndham’s argument that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to sue supermarkets that are “sloppy about sweeping up banana peels.” This “alarmist” argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a),” the court stated.

Wyndham also failed to persuade the court that three subsequent legislative acts—the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act—reshaped § 45(a)’s meaning to exclude cybersecurity. None of the recent privacy legislation was “inexplicable” if the FTC already had some authority to regulate corporate cybersecurity through § 45(a), the court stated. The fact the FTC later brought unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm is not inconsistent with the agency’s earlier position that it could not require companies to adopt fair information practice policies.

Fair notice. The court next considered Wyndham’s position that it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by § 45(a). However, according to the court, the relevant question is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.

Wyndham argued that it lacked notice of what specific cybersecurity practices are necessary to avoid liability. The court rejected this claim, however, noting that Wyndham is entitled to a relatively low level of statutory notice because § 45(a) does not implicate any constitutional rights here, is a civil rather than criminal statute, and regulates economic activity. Businesses that face economic demands to plan behavior carefully can be expected to consult relevant legislation in advance of action.

The court concluded that Wyndham failed to demonstrate that it lacked fair notice of the meaning of the statute because, prior to the cybersecurity breaches at issue, the FTC filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity; those materials were published on the FTC’s website and notice of proposed consent orders were published in the Federal Register; and the allegations in the instant case are specific and similar to at least one of the four or five cybersecurity-related unfair-practice complaints previously issued. Wyndham consequently could not claim that the complaints failed to give notice of the necessary and sufficient conditions of an alleged § 45(a) violation when all of the allegations in at least one of the relevant four or five complaints had close corollaries to the instant action.

The case number is 14-3514.

Attorneys: Kenneth W. Allen (Kirkland & Ellis), David T. Cohen (Ropes & Gray), and Jennifer A. Kradil (Gibbons P.C.) for Wyndham Hotels and Resorts, LLC. Jonathan E. Nuechterlein, FTC.

Companies: Wyndham Hotels and Resorts, LLC; Wyndham Worldwide Corp.; Wyndham Hotel Group, LLC; Wyndham Hotel Management Inc.

MainStory: TopStory Privacy DelawareNews NewJerseyNews PennsylvaniaNews FederalTradeCommissionNews

Antitrust Law Daily

Introducing Wolters Kluwer Antitrust Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.