Menu
Blog Banner Image

The Franchise Memorandum

Third Circuit Confirms FTC's Authority to Regulate Cybersecurity in Case Against Franchisor

The Third Circuit court of appeals recently affirmed the denial of Wyndham Hotels' motion to dismiss a case brought by the FTC for unfair and deceptive trade practices. FTC v. Wyndham Worldwide Corp., 2015 WL 4998121 (3d Cir. Aug. 24, 2008). The FTC alleged that franchisor Wyndham Hotels & Resorts, along with its affiliates, engaged in deceptive practices by misrepresenting that it used standard and commercially reasonable practices to secure guest data, and engaged in unfair practices by failing to protect customer data. The claims arose after a criminal organization hacked into Wyndham's property management computer system multiple times, accessing credit card information from over 619,000 guests and resulting in $10.6 million in losses. Wyndham moved to dismiss the complaint but the district court denied Wyndham's motion. (We reported on earlier decisions in Issues 180 and 182 of The GPMemorandum.) Wyndham then filed an interlocutory appeal, arguing that the FTC did not have the authority to regulate cybersecurity under the unfairness prong (section 45(a)) of the FTC Act, and that, even if it did, Wyndham did not have fair notice that its specific cybersecurity practices could fall short of that provision.

In upholding the FTC's ability to regulate cybersecurity under the unfairness prong, the court applied the policy statement for section 45, which requires that the offending act cause substantial injury to consumers, an injury not reasonably avoidable by consumers, and that is not outweighed by countervailing benefits to consumers or competition. Wyndham argued that its conduct fell outside of this section in part because it was not also within the plain meaning of "unfair," which Wyndham defined as unscrupulous; unethical; not equitable; or marked by injustices, partiality, or deception. The court found no requirement that the act be unscrupulous or unethical and decided that even if the Act did require inequitable or deceptive conduct, the FTC's complaint satisfied those requirements. Wyndham also argued that a business does not treat its customers in an unfair manner when the business itself is victimized by criminals. In response, the court found that a company's conduct need not be the most proximate cause of an injury for the company to be liable for foreseeable harms. Finally, Wyndham pointed out that other subsequent pieces of legislation give the FTC authority or require it to promulgate regulations governing cybersecurity in certain circumstances. The court, however, determined that these recent pieces of legislation did not contradict a finding that the FTC already had the authority to regulate cybersecurity through section 45(a).

The court also held that Wyndham had fair notice of the specific cybersecurity standards that it was required to follow. After reviewing the various legal standards required for various types of agency regulations, the court determined that the appropriate standard in this case is whether Wyndham had fair notice that its conduct could fall within the meaning of section 45(a). The court had no trouble determining that Wyndham could reasonably foresee that its cybersecurity practices might be construed as falling within that law because the policy statement informed parties they should perform a cost-benefit analysis. The court also pointed to the FTC's 2007 guidebook for businesses on protecting personal information, which, while not stating that any particular practice is required, lists practices that form a sound data security plan and recommends against other practices, including some of those allegedly employed by Wyndham.

Gray Plant Mooty will continue to monitor this case, which offers guidance to those seeking to implement appropriate cybersecurity policies and procedures.

Email LinkedIn Twitter Facebook

The information contained in this post is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.

About this Publication

The Franchise Memorandum is a collection of postings on summaries of recent legal developments of interest to franchisors brought to you by Lathrop GPM LLP. 

To subscribe to monthly emails for The Franchise Memorandum, please click here

Topics

Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Blog Authors