Fed. Trade Comm'n v. Wyndham Worldwide Corp., No. 14–3514.

CourtUnited States Courts of Appeals. United States Court of Appeals (3rd Circuit)
Writing for the CourtAMBRO, Circuit Judge.
Citation799 F.3d 236
Decision Date24 August 2015
Docket NumberNo. 14–3514.
PartiesFEDERAL TRADE COMMISSION v. WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation Wyndham Hotels and Resorts, LLC, Appellant.

799 F.3d 236

FEDERAL TRADE COMMISSION
v.
WYNDHAM WORLDWIDE CORPORATION, a Delaware Corporation Wyndham Hotel Group, LLC, a Delaware limited liability company; Wyndham Hotels and Resorts, LLC, a Delaware limited liability company; Wyndham Hotel Management Incorporated, a Delaware Corporation Wyndham Hotels and Resorts, LLC, Appellant.

No. 14–3514.

United States Court of Appeals, Third Circuit.

Argued March 3, 2015.
Opinion filed: Aug. 24, 2015.


799 F.3d 239

Kenneth W. Allen, Esquire, Eugene F. Assaf, Esquire, (Argued), Christopher Landau, Esquire, Susan M. Davies, Esquire, Michael W. McConnell, Esquire, Kirkland & Ellis, Washington, DC, David T. Cohen, Esquire, Ropes & Gray, New York, N.Y., Douglas H. Meal, Esquire, Ropes & Gray, Boston, MA, Jennifer A. Hradil, Esquire, Justin T. Quinn, Esquire, Gibbons, Newark, NJ, Counsel for Appellants.

Jonathan E. Nuechterlein, General Counsel, David C. Shonka, Sr., Principal Deputy General Counsel, Joel R. Marcus, Esquire, (Argued), David L. Sieradzki, Esquire, Federal Trade Commission, Washington, DC, Counsel for Appellee.

Sean M. Marotta, Esquire, Catherine E. Stetson, Esquire, Harriet P. Pearson, Esquire, Bret S. Cohen, Esquire, Adam A. Cooke, Esquire, Hogan Lovells U.S. LLP, Kate Comerford Todd, Esquire, Steven P. Lehotsky, Esquire, Sheldon Gilbert, Esquire, U.S. Chamber Litigation Center, Inc., Banks Brown, Esquire, McDermott Will & Emery LLP, New York, N.Y., Karen R. Harned, Esquire, National Federation of Independent Business, Washington, DC, Counsel for Amicus Appellants, Chamber of Commerce of the USA; American Hotel & Lodging Association; National Federation of Independent Business.

Cory L. Andrews, Esquire, Richard A. Samp, Esquire, Washington Legal Foundation, John F. Cooney, Esquire, Jeffrey D. Knowles, Esquire, Mitchell Y. Mirviss, Esquire, Leonard L. Gordon, Esquire, Randall K. Miller, Esquire, Venable LLC, Washington, DC, Counsel for Amicus Appellants, Electronic Transactions Association, Washington Legal Foundation.

Scott M. Michelman, Esquire, Jehan A. Patterson, Esquire, Public Citizen Litigation Group, Washington, DC, Counsel for Amicus Appellees, Public Citizen Inc.; Consumer Action; Center for Digital Democracy.

Marc Rotenberg, Esquire, Alan Butler, Esquire, Julia Horwitz, Esquire, John Tran, Esquire, Catherine N. Crump, Esquire, American Civil Liberties Union, New York, N.Y., Chris Jay Hoofnagle, Esquire, Samuelson Law, Technology & Public Policy Clinic, Berkeley, CA, Justin Brookman, Esquire, G.S. Hans, Esquire, Washington, DC, Lee Tien, Esquire, Electronic Frontier Foundation, San Francisco, CA, Counsel for Amicus Appellees, Electronic Privacy Information Center, American Civil Liberties Union, Samuelson Law, Technology & Public Policy Clinic, Center

799 F.3d 240

for Democracy & Technology, Electronic Frontier Foundation.

Before: AMBRO, SCIRICA, and ROTH, Circuit Judges.

OPINION OF THE COURT

AMBRO, Circuit Judge.

The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.

On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation's computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham's conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham's motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) ; and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.

I. Background

A. Wyndham's Cybersecurity

Wyndham Worldwide is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries.2 Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndham-branded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham “manage[s]” these systems and requires the hotels to “purchase and configure” them to its own specifications. Compl. at ¶ 15, 17. It also operates a computer network in Phoenix, Arizona, that connects its data center with the property management systems of each of the Wyndham-branded hotels.

The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.” Id. at ¶ 24. This claim is fleshed out as follows.

1. The company allowed Wyndham-branded hotels to store payment card information in clear readable text.

2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel's system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.” Id. at ¶ 24(f).

799 F.3d 241

3. Wyndham failed to use “readily available security measures”—such as firewalls—to “limit access between [the] hotels' property management systems, ... corporate network, and the Internet.” Id. at ¶ 24(a).

4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Id. at ¶ 24(c). Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham's network even though “default user IDs and passwords were enabled ..., which were easily available to hackers through simple Internet searches.” Id. And, because it failed to maintain an “adequate [ ] inventory [of] computers connected to [Wyndham's] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks. Id. at ¶ 24(g).

5. Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels. Id. at ¶ 24(j). For example, it did not “restrict[ ] connections to specified IP addresses or grant[ ] temporary, limited access, as necessary.” Id.

6. It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.” Id. at ¶ 24(h).

7. It did not follow “proper incident response procedures.” Id. at ¶ 24(i). The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.

Although not before us on appeal, the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company's cybersecurity.

We safeguard our Customers' personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128–bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information—such as credit card numbers, online forms, and financial data—from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards....

Id. at ¶ 21. The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

B. The Three Cybersecurity Attacks

As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham's network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham's network and the Internet. They then

799 F.3d 242

used the brute-force method—repeatedly...

To continue reading

Request your trial
52 practice notes
  • HNMC, Inc. v. Chan, NO. 14-18-00849-CV
    • United States
    • Court of Appeals of Texas
    • 30 Diciembre 2021
    ...317, 323 (D.C. 1980). Section 449 has also been cited by several federal courts as well. See, e.g., F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 246 (3d Cir. 2015) ; Fisher v. Halliburton , 667 F.3d 602, 616 (5th Cir. 2012) ; Mitchell v. Archibald & Kendall, Inc. , 573 F.2d 429, 435 n.......
  • Richards v. Direct Energy Servs., LLC, No. 17-1003-cv
    • United States
    • United States Courts of Appeals. United States Court of Appeals (2nd Circuit)
    • 4 Febrero 2019
    ...doctrine continues to evolve beyond the purported "core" my colleagues identify. Cf. , e.g. , F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236 (3d Cir. 2015) (upholding an FTC enforcement against a hotel chain that had extremely lax cybersecurity protecting its customers' financial and pers......
  • United States v. Harra, No. 19-1105
    • United States
    • United States Courts of Appeals. United States Court of Appeals (3rd Circuit)
    • 12 Enero 2021
    ...with "ascertainable certainty" before subjecting private parties to punishment under that interpretation. FTC v. Wyndham Worldwide Corp. , 799 F.3d 236, 249, 251 (3d Cir. 2015). This is because it is difficult for a private party to predict how an agency will interpret an ambiguous statute ......
  • Belt v. P.F. Chang's China Bistro, Inc., CIVIL ACTION No. 18-3831
    • United States
    • United States District Courts. 3th Circuit. United States District Court (Eastern District of Pennsylvania)
    • 15 Agosto 2019
    ...ambiguous, courts resolve this ambiguity by "adopt[ing] the best or most reasonable interpretation." F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 252 (3d Cir. 2015). To determine the best or most reasonable interpretation, courts "consider the ordinary and natural meaning of the regula......
  • Request a trial to view additional results
47 cases
  • Consumer Fin. Prot. Bureau v. Navient Corp., 3:17-CV-101
    • United States
    • United States District Courts. 3th Circuit. United States District Court of Middle District of Pennsylvania
    • 4 Agosto 2017
    ...and why it would be improper for the CFPB to declare something unlawful through litigation. See generally FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). The Court is not persuaded that the language of section 5531 should be read in the manner advocated by Navient. Subsections ......
  • In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., MDL No. 19-md-2879
    • United States
    • United States District Courts. 4th Circuit. United States District Court (Maryland)
    • 21 Febrero 2020
    ..., the Third Circuit affirmed the FTC's enforcement of Section 5 of the FTC Act in data breach cases, which it had been doing since 2005. 799 F.3d 236, 240 (3d Cir. 2015) ("The Federal Trade Commission Act prohibits ‘unfair or deceptive acts or practices in or affecting commerce.’ 15 U.......
  • Belt v. P.F. Chang's China Bistro, Inc., CIVIL ACTION No. 18-3831
    • United States
    • United States District Courts. 3th Circuit. United States District Court (Eastern District of Pennsylvania)
    • 15 Agosto 2019
    ...courts resolve this ambiguity by "adopt[ing] the best or most reasonable interpretation." F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 252 (3d Cir. 2015). To determine the best or most reasonable interpretation, courts "consider the ordinary and natural meaning of the re......
  • In re Equifax, Inc., MDL DOCKET NO. 2800
    • United States
    • United States District Courts. 11th Circuit. United States District Courts. 11th Circuit. Northern District of Georgia
    • 28 Enero 2019
    ...Dismiss, at 26.159 See 15 U. S. C. § 1681b(a).160 Federal Trade Commission Act. 15 U.S.C.A. § 45(a) ; F.T.C. v. Wyndham Worldwide Corp. , 799 F.3d 236, 247 (3d Cir. 2015).161 See 15 U.S.C. § 6801(b).162 See 16 C.F.R. § 314.4(b-e).163 Pls.' Br. in Opp'n to Defs.' Mot. to Dismiss, at 9.164 In......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT