Fed. Trade Comm’n v. Wyndham Worldwide Corp

Wyndham has licensed its brand name to approximately 90 independently owned hotels, each having a system that processes consumer information, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham manages the systems and requires the hotels to configure them to its specifications to connect to Wyndham’s network. The FTC filed suit under 15 U.S.C. 45(a), alleging that Wyndham engaged in unfair cybersecurity practices that, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft. The company: allowed Wyndham-branded hotels to store payment card information in clear readable text and allowed use of easily guessed passwords; failed to use “readily available security measures,” such as firewalls; allowed hotel systems to connect to its network without taking appropriate cybersecurity precautions; and did not follow “proper incident response procedures,” so that hackers used similar methods in three attacks, but has published a privacy policy on its website that overstates its cybersecurity. Hackers stole information for hundreds of thousands of consumers leading to $10.6 million in fraudulent charges. The district court denied Wyndham’s motion to dismiss. On interlocutory appeal, the Third Circuit agreed that the FTC has authority to regulate cybersecurity under the unfairness prong of section 45(a); and, that Wyndham had fair notice its specific practices could fall short of that provision. View "Fed. Trade Comm'n v. Wyndham Worldwide Corp" on Justia Law