Fed. Trade Comm'n v. Wyndham Worldwide Corp.

Citation799 F.3d 236
Decision Date24 August 2015
Docket NumberNo. 14–3514.,14–3514.
PartiesFEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation Wyndham Hotels and Resorts, LLC, Appellant.
CourtUnited States Courts of Appeals. United States Court of Appeals (3rd Circuit)

799 F.3d 236

FEDERAL TRADE COMMISSION
v.
WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation Wyndham Hotels and Resorts, LLC, Appellant.

No. 14–3514.

United States Court of Appeals, Third Circuit.

Argued March 3, 2015.
Opinion filed: Aug. 24, 2015.


799 F.3d 239

Kenneth W. Allen, Esquire, Eugene F. Assaf, Esquire, (Argued), Christopher Landau, Esquire, Susan M. Davies, Esquire, Michael W. McConnell, Esquire, Kirkland & Ellis, Washington, DC, David T. Cohen, Esquire, Ropes & Gray, New York, N.Y., Douglas H. Meal, Esquire, Ropes & Gray, Boston, MA, Jennifer A. Hradil, Esquire, Justin T. Quinn, Esquire, Gibbons, Newark, NJ, Counsel for Appellants.

Jonathan E. Nuechterlein, General Counsel, David C. Shonka, Sr., Principal Deputy General Counsel, Joel R. Marcus, Esquire, (Argued), David L. Sieradzki, Esquire, Federal Trade Commission, Washington, DC, Counsel for Appellee.

Sean M. Marotta, Esquire, Catherine E. Stetson, Esquire, Harriet P. Pearson, Esquire, Bret S. Cohen, Esquire, Adam A. Cooke, Esquire, Hogan Lovells U.S. LLP, Kate Comerford Todd, Esquire, Steven P. Lehotsky, Esquire, Sheldon Gilbert, Esquire, U.S. Chamber Litigation Center, Inc., Banks Brown, Esquire, McDermott Will & Emery LLP, New York, N.Y., Karen R. Harned, Esquire, National Federation of Independent Business, Washington, DC, Counsel for Amicus Appellants, Chamber of Commerce of the USA; American Hotel & Lodging Association; National Federation of Independent Business.

Cory L. Andrews, Esquire, Richard A. Samp, Esquire, Washington Legal Foundation, John F. Cooney, Esquire, Jeffrey D. Knowles, Esquire, Mitchell Y. Mirviss, Esquire, Leonard L. Gordon, Esquire, Randall K. Miller, Esquire, Venable LLC, Washington, DC, Counsel for Amicus Appellants, Electronic Transactions Association, Washington Legal Foundation.

Scott M. Michelman, Esquire, Jehan A. Patterson, Esquire, Public Citizen Litigation Group, Washington, DC, Counsel for Amicus Appellees, Public Citizen Inc.; Consumer Action; Center for Digital Democracy.

Marc Rotenberg, Esquire, Alan Butler, Esquire, Julia Horwitz, Esquire, John Tran, Esquire, Catherine N. Crump, Esquire, American Civil Liberties Union, New York, N.Y., Chris Jay Hoofnagle, Esquire, Samuelson Law, Technology & Public Policy Clinic, Berkeley, CA, Justin Brookman, Esquire, G.S. Hans, Esquire, Washington, DC, Lee Tien, Esquire, Electronic Frontier Foundation, San Francisco, CA, Counsel for Amicus Appellees, Electronic Privacy Information Center, American Civil Liberties Union, Samuelson Law, Technology & Public Policy Clinic, Center

799 F.3d 240

for Democracy & Technology, Electronic Frontier Foundation.

Before: AMBRO, SCIRICA, and ROTH, Circuit Judges.

OPINION OF THE COURT

AMBRO, Circuit Judge.

The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.

On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation's computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham's conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham's motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) ; and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.

I. Background

A. Wyndham's Cybersecurity

Wyndham Worldwide is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries.2 Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndham-branded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham “manage[s]” these systems and requires the hotels to “purchase and configure” them to its own specifications. Compl. at ¶ 15, 17. It also operates a computer network in Phoenix, Arizona, that connects its data center with the property management systems of each of the Wyndham-branded hotels.

The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.” Id. at ¶ 24. This claim is fleshed out as follows.

1. The company allowed Wyndham-branded hotels to store payment card information in clear readable text.

2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel's system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.” Id. at ¶ 24(f).

799 F.3d 241

3. Wyndham failed to use “readily available security measures”—such as firewalls—to “limit access between [the] hotels' property management systems, ... corporate network, and the Internet.” Id. at ¶ 24(a).

4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Id. at ¶ 24(c). Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham's network even though “default user IDs and passwords were enabled ..., which were easily available to hackers through simple Internet searches.” Id. And, because it failed to maintain an “adequate [ ] inventory [of] computers connected to [Wyndham's] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks. Id. at ¶ 24(g).

5. Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels. Id. at ¶ 24(j). For example, it did not “restrict[ ] connections to specified IP addresses or grant[ ] temporary, limited access, as necessary.” Id.

6. It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.” Id. at ¶ 24(h).

7. It did not follow “proper incident response procedures.” Id. at ¶ 24(i). The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.

Although not before us on appeal, the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company's cybersecurity.

We safeguard our Customers' personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128–bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information—such as credit card numbers, online forms, and financial data—from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards....

Id. at ¶ 21. The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

B. The Three Cybersecurity Attacks

As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham's network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham's network and the Internet. They then

799 F.3d 242

used the brute-force method—repeatedly...

To continue reading

Request your trial
69 cases
  • HNMC, Inc. v. Chan
    • United States
    • Court of Appeals of Texas
    • December 30, 2021
    ......2005) ; see Pagayon v. Exxon Mobil Corp. , 536 S.W.3d 499, 503 (Tex. 2017). When the ... See, e.g., F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 246 (3d Cir. ......
  • Miller v. Black Diamond Capital Mgmt., L.L.C. (In re Bayou Steel BD Holdings, L.L.C.)
    • United States
    • U.S. Bankruptcy Court — District of Delaware
    • August 3, 2022
    ......, the Ninth Circuit in Levin Metals Corp. v. Parr-Richmond Terminal Co. focused in on and ... any reasonable person might be willing to trade." 218 Corporate waste claims are reserved only ...2018) (quoting F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 242 (3d Cir. ...1994). 61 Cal. Fed. Sav. & Loan Ass'n v. Guerra , 479 U.S. 272, ......
  • Zohar CDO 2003-1, Ltd. v. Patriarch Partners, LLC (In re Zohar III, Corp.)
    • United States
    • U.S. Bankruptcy Court — District of Delaware
    • June 18, 2021
    ......Fed. R. Civ. P. 8(a). 70 Crystallex Int'l Corp. v. Petroleos ...2018) (quoting F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 242 (3d Cir. 2015) ). 71 ......
  • HNMC, Inc. v. Chan
    • United States
    • Court of Appeals of Texas
    • December 30, 2021
    ......2005); see Pagayon v. Exxon Mobil. Corp., 536 S.W.3d 499, 503 (Tex. 2017). When the ... See, e.g. , F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 246 (3d Cir. ......
  • Request a trial to view additional results
2 firm's commentaries
  • CFPB Asserts New Authority Over Data Security Practices
    • United States
    • Mondaq United States
    • August 22, 2022
    ...aff'd, 604 F.3d 1150 (9th Cir. 2010). 7. FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014) (No. 13 Civ. 1887), aff'd, 799 F.3d 236 (3d Cir. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your ......
  • Do As You Say (And As You Should Do): How The Hospitality Industry Can Brace For Data Privacy Actions
    • United States
    • Mondaq United States
    • October 26, 2015
    ...authority to clamp down on the allegedly lax cybersecurity measures implemented by Wyndham Worldwide. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. The Trump and Wyndham cases highlight a growing trend for both federal regulators and plaintiffs' attorneys in the data privacy real......
5 books & journal articles

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT