Cybersecurity Lessons From the Third Circuit's 'Wyndham' Ruling

In a much-anticipated decision, the U.S. Court of Appeals for the Third Circuit recently upheld the Federal Trade Commission’s ability to regulate cybersecurity as an unfair business practice, in Federal Trade Commission v. Wyndham Worldwide, No. 14-3514, __ F.3d __ (3d Cir. Aug. 24, 2015). While the outcome is not necessarily a surprise given the facts of the case, the decision will carry significant implications for companies that collect and maintain consumer information. A potential caveat is whether Wyndham Worldwide Corp. seeks and is granted certiorari by the U.S. Supreme Court. Even if certiorari is granted, it would be wise to heed the lessons of this case while waiting on final word from the Supreme Court.

The FTC sued Wyndham Worldwide and three affiliated companies in federal district court for both unfair and deceptive business practices seeking injunctive and other equitable relief including restitution to consumers under the Federal Trade Commission Act, 15 U.S.C. Section 45(a). The FTC alleges that Wyndham failed to maintain reasonable and appropriate data security for consumer information in connection with a series of three data breaches in 2008 and 2009. More specifically, the FTC alleges that all three breaches took advantage of the same shortcomings in Wyndham’s network, including storage of payment card information as readable text (failure to encrypt), allowance of “default” and easy-to-guess passwords, failure to use firewalls and other commercially available methods for protecting data, failure to ensure that hotels connecting to the network had adequate information policies and procedures, failure to properly restrict third-party vendor access to the network, failure to monitor for unauthorized access, and failure to follow proper breach response protocols. The complaint also alleges that the second breach utilized malware used in the first breach that had not been removed from the system and throughout the relevant time period Wyndham advertised that it used “industry standard practices” to safeguard customer information, including encryption and firewalls. The FTC also alleges that across the three breaches, the hackers downloaded personal and financial information for hundreds of thousands of consumers, which resulted in over $10.6 million in fraudulent charges.