FTC v. Wyndham Worldwide: Website Security Breaches Are an Unfair and Deceptive Trade Practice


By George W. Thompson

The Third Circuit has issued a decision that ties together three of my favorite (no, I’m not kidding) topics: cybersecurity, judicial review of agency action and the amorphous scope of Federal Trade Commission (FTC) authority to define “unfair trade practices.” The appellate court affirmed that the FTC’s reach under 15 U.S.C. § 45(a) to address “unfair or deceptive acts or practices” extends to a company’s failure to prevent hacking of its website.

To summarize the facts, hotel chain Wyndham suffered multiple intrusions of its computer system. The hackers retrieved customer data, including credit card data, and made fraudulent charges. While Wyndham’s website touted its supposed electronic security, it failed to implement industry standard preventive measures or correct the flaws that permitted the intrusions.

The FTC brought an action against Wyndham, asserting its actions constituted unfair and deceptive practices, and prevailed in the district court. The Third Circuit “granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”

The FTC Has Jurisdiction over Cybersecurity-Related Issues

On the first issue, the appellate court had no difficulty in finding the FTC’s authority extended to cybersecurity breaches. The enactment of legislation granting the FTC jurisdiction over discrete cyber issues, such as the Children’s Online Privacy Protection Act, did not detract from the agency’s general authority over unfair practices, including those conducted in the electronic world. Whether conducted on-line or not, unfair activities fall under section 45(a)’s coverage.

The court also rejected Wyndham’s arguments that an unfair act required some sort of improper intent on its part. Since it had not treated its customers in an inequitable or unethical manner. The court made short work of that line of argument: “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

Wyndham Had Sufficient Notice Its Activities Were Covered

Next, the decision considered whether “the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow.” Wyndham asserted that no deference was due to the agency’s previous pronouncements on the issue and that these failed to provide sufficient guidance on what the requirements are. The court found this point was immaterial, since the FTC’s complaint was based on the plain language of section 45(a) and not any agency interpretation. Thus, the court concluded, “Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.”

Following the decision, Wyndham and the FTC entered into a stipulated order for injunction that requires the company to adopt specified data security measures.

The FTC as Cyber Sheriff

The Wyndham decision has potentially far-reaching effect. Not only does it dispel any notion that electronic activities are somehow beyond the FTC’s reach, it also helps define the standards that companies must adopt to avoid hacking of their customers’ information. Pretty much every business that conducts electronic commerce should evaluate its electronic security program in light of Wyndham.


Get delivered once a week to your inbox, a hand-picked list of the latest news on international trade compliance issues as well as the latest articles from George W. Thompson.