Federal Trade Commission v. Wyndham Worldwide Corp.
2015 U.S. App. LEXIS 14839
3rd Cir.2015Background
- Wyndham Worldwide is a hotel franchisor whose corporate network connected hundreds of franchised hotels’ property-management systems that stored guests’ payment-card and personal information.
- Between 2008 and 2009 hackers breached Wyndham’s systems three times, exfiltrating unencrypted payment-card data for over 600,000 consumers and causing millions in fraudulent charges.
- The FTC sued under Section 5 of the FTC Act, alleging Wyndham’s cybersecurity practices were "unfair" and that its privacy statements were deceptive; the District Court denied Wyndham’s 12(b)(6) motion to dismiss.
- On interlocutory appeal the Third Circuit considered two questions: (1) whether the FTC may regulate cybersecurity under the Act’s unfairness prong, and (2) whether Wyndham had fair notice that its specific cybersecurity practices could be unlawful.
- The complaint alleges concrete failures: storage of card data in clear text, use of default/easily-guessable passwords, lack of firewalls and IP restrictions, failure to monitor for known malware, inadequate vendor access controls, and deficient incident response.
Issues
| Issue | Plaintiff's Argument (FTC) | Defendant's Argument (Wyndham) | Held |
|---|---|---|---|
| Authority: Can § 5(a) (unfairness) reach cybersecurity? | §5’s flexible "unfairness" standard historically and under §45(n) includes practices causing substantial consumer injury; inadequate security fits. | Congress has enacted sector-specific privacy/cyber statutes and FTC pronouncements; those show Congress did not intend §5 to reach cybersecurity. | The court held §5 can reach cybersecurity practices; prior statutes and guidance do not show exclusion. |
| Plain meaning: Does "unfair" require immoral/unscrupulous conduct or other additional constraints? | Unfairness focuses on substantial consumer injury, not moral blameworthiness; §45(n) governs. | "Unfair" should connote inequity/unscrupulousness and thus not apply to ordinary businesses victimized by criminals. | Court rejected Wyndham’s extra-textual constraints; substantial, foreseeable consumer injury satisfies unfairness. |
| Fair notice: Did Wyndham lack notice of what specific cybersecurity measures §5 required? | The FTC pointed to its longstanding §5 framework, guidance (FTC Guidebook), prior complaints/consent materials, and the §45(n) cost-benefit standard. | Wyndham argued it was entitled to "ascertainable certainty" of specific standards (and that agency adjudications/rules were required) and that it relied on absence of clear FTC rules. | Court held Wyndham was not entitled to agency-level "ascertainable certainty" here because the courts were interpreting the statute in the first instance; the Section 5 standard and agency guidance/precedent gave constitutionally sufficient notice as applied. |
| Reliance on agency materials and deference: Must courts defer to FTC adjudications/rules re cybersecurity? | FTC urged courts to apply the statute; agency guidance and past enforcement illustrate its view but case was decided by courts without Chevron deference. | Wyndham insisted agency adjudications/rulings were needed for fair notice and sought to avoid deference to LabMD and other FTC materials. | Court found Wyndham repeatedly disavowed entitlement to Chevron/ascertainable-certainty, so this was a judicial statutory interpretation; deference issues not controlling here. |
Key Cases Cited
- FTC v. Sperry & Hutchinson Co., 405 U.S. 233 (1972) (discussing the FTC Act’s flexible unfairness concept and the role of the Commission)
- Bunte Bros. v. FTC, 312 U.S. 349 (1941) (noting unfairness as an evolving concept)
- Atl. Ref. Co. v. FTC, 381 U.S. 357 (1965) (confirming Commission’s role in developing unfairness doctrine)
- FTC v. Raladam Co., 283 U.S. 643 (1931) (early limitations on unfairness when focused on competitors)
- R.F. Keppel & Brother, Inc. v. FTC, 291 U.S. 304 (1934) (addressing characterizations of "unfair" conduct)
- Chevron U.S.A., Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837 (1984) (agency deference framework)
- Bouie v. City of Columbia, 378 U.S. 347 (1964) (due-process fair-notice principle for retroactive judicial construction)
- Auer v. Robbins, 519 U.S. 452 (1997) (deference to agency interpretation of its own regulations)
- Skidmore v. Swift & Co., 323 U.S. 134 (1944) (weight to agency interpretations based on persuasiveness)
- FCC v. Fox Television Stations, Inc., 567 U.S. 239 (2012) (fair-notice due-process standards in administrative enforcement)