FTC v. Wyndham Worldwide Solidifies the FTC’s Role in Regulating Cybersecurity

The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act and companies have fair notice that their specific cybersecurity practices could fall short of that provision. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).

Here are a few key points from the court’s opinion to consider:

  • Wyndham was hacked three times in 2008 and 2009 that resulted the compromise of over 619,000 consumer payment card records.
  • Information used to commit over $10.6 million in fraudulent charges.
  • Cybersecurity posture was very rudimentary and contravened recommendations in the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Businesses.
  • Website Privacy Policy made representations about its cybersecurity practices that were not true and, therefore, deceptive.