Federal Trade Commission v. Wyndham Worldwide Corp.
10 F. Supp. 3d 602
D.N.J.
2014

Background

  • FTC brings action under FTC Act §5(a) alleging unfair and deceptive data-security practices by Wyndham and its subsidiaries Hotel Group, Hotels & Resorts, and Hotel Management.
  • Wyndham allegedly operated a shared network linking the Hotels & Resorts corporate network to Wyndham-branded hotels' property management systems storing consumer data.
  • Between April 2008 and January 2010, three data breaches exposed payment card data, affecting over 619,000 accounts and causing substantial fraud losses.
  • FTC contends Wyndham failed to maintain reasonable security measures, enabling unauthorized access and future risk of harm to consumers and businesses.
  • Hotels & Resorts moves to dismiss on grounds of FTC authority, fair notice (need for regulations), and pleading sufficiency; court denies motion.
  • As to the unfairness claim, court rejects Brown & Williamson preemption concern, finds no requirement for pre-published regulations, and deems pleading sufficient.

Issues

Issue Plaintiff's Argument Defendant's Argument Held
FTC authority to bring unfairness claim on data security FTC argues data security fits §5 unfairness. Hotels & Resorts argues Brown & Williamson excludes FTC data-security authority. FTC authority upheld; no data-security carve-out.
Need for formal regulations to support unfairness claim Reasonableness standards allow case-by-case enforcement without pre-published regulations. Regulatory notice requires formal rules before liability. No requirement for formal regulations; fair notice satisfied.
Pleadings sufficiency for unfairness claim Complaint adequately pleads substantial injury, causation, and unreasonableness. Pleading too conclusory; injuries and causation inadequately pleaded. Unfairness claim pleaded sufficiently; reasonable inferences support injury and causation.
Pleadings sufficiency for deception claim Privacy policy representations about security are deceptive as to data security practices. Disclosures and entity responsibility raise questions about control and scope. Deception claim survives Rule 9(b) scrutiny at this stage; not dismissed.

Key Cases Cited

  • Brown & Williamson Tobacco Corp. v. FDA, 529 U.S. 120 (2000) (preemption and regulatory schemes differ; not controlling where newer statute exists)
  • Sperry & Hutchinson Co. v. FTC, 405 U.S. 233 (1972) (FTC authority to define unfair practices flexibly; not limited to enumerated acts)
  • Colgate-Palmolive Co. v. Ten, 380 U.S. 374 (1965) (FTC authority to interpret §5 with flexible, case-specific standards)
  • Fox Television Stations, Inc. v. FCC, 556 U.S. 502 (2009) (fair notice and reasonableness principles in agency actions)
  • Iqbal v. Ashcroft, 556 U.S. 662 (2009) (plausibility standard for pleading claims)
Read the full case