The Third Circuit court of appeals recently affirmed the denial of Wyndham Hotels’ motion to dismiss a case brought by the FTC for unfair and deceptive trade practices. FTC v. Wyndham Worldwide Corp., 2015 WL 4998121 (3d Cir. Aug. 24, 2008). The FTC alleged that franchisor Wyndham Hotels & Resorts, along with its affiliates, engaged in deceptive practices by misrepresenting that it used standard and commercially reasonable practices to secure guest data, and engaged in unfair practices by failing to protect customer data. The claims arose after a criminal organization hacked into Wyndham’s property management computer system multiple times, accessing credit card information from over 619,000 guests and resulting in $10.6 million in losses. Wyndham moved to dismiss the complaint but the district court denied Wyndham’s motion. (We reported on earlier decisions in Issues 180 and 182 of The GPMemorandum.) Wyndham then filed an interlocutory appeal, arguing that the FTC did not have the authority to regulate cybersecurity under the unfairness prong (section 45(a)) of the FTC Act, and that, even if it did, Wyndham did not have fair notice that its specific cybersecurity practices could fall short of that provision.

In upholding the FTC’s ability to regulate cybersecurity under the unfairness prong, the court applied the policy statement for section 45, which requires that the offending act cause substantial injury to consumers, an injury not reasonably avoidable by consumers, and that is not outweighed by countervailing benefits to consumers or competition. Wyndham argued that its conduct fell outside of this section in part because it was not also within the plain meaning of “unfair,” which Wyndham defined as unscrupulous; unethical; not equitable; or marked by injustices, partiality, or deception. The court found no requirement that the act be unscrupulous or unethical and decided that even if the Act did require inequitable or deceptive conduct, the FTC’s complaint satisfied those requirements. Wyndham also argued that a business does not treat its customers in an unfair manner when the business itself is victimized by criminals. In response, the court found that a company’s conduct need not be the most proximate cause of an injury for the company to be liable for foreseeable harms. Finally, Wyndham pointed out that other subsequent pieces of legislation give the FTC authority or require it to promulgate regulations governing cybersecurity in certain circumstances. The court, however, determined that these recent pieces of legislation did not contradict a finding that the FTC already had the authority to regulate cybersecurity through section 45(a).

The court also held that Wyndham had fair notice of the specific cybersecurity standards that it was required to follow. After reviewing the various legal standards required for various types of agency regulations, the court determined that the appropriate standard in this case is whether Wyndham had fair notice that its conduct could fall within the meaning of section 45(a). The court had no trouble determining that Wyndham could reasonably foresee that its cybersecurity practices might be construed as falling within that law because the policy statement informed parties they should perform a cost-benefit analysis. The court also pointed to the FTC’s 2007 guidebook for businesses on protecting personal information, which, while not stating that any particular practice is required, lists practices that form a sound data security plan and recommends against other practices, including some of those allegedly employed by Wyndham.

Gray Plant Mooty will continue to monitor this case, which offers guidance to those seeking to implement appropriate cybersecurity policies and procedures.