FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug 24, 2008). The FTC’s complaint was predicated on data security breaches of the property management system used by Wyndham and its franchisees. FTC v. Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622 (D.N.J. Apr. 7, 2014). Wyndham’s appeal marks the first time a business has challenged the FTC’s enforcement authority in the cybersecurity area. The ruling affirms the FTC’S authority and allows the court to move forward with a consideration of potential liability.
The FTC alleged that franchisor Wyndham Hotels & Resorts, along with its affiliates, engaged in deceptive practices by misrepresenting that it used “industry standard practices” and “commercially reasonable efforts” to secure the data it collected from guests, and that Wyndham engaged in unfair practices by failing to protect customer data. Between 2008 and 2010, a criminal organization hacked into the property management system multiple times—first through a franchisee’s local computer network, and then through an administrator account at one of the Wyndham entity’s data centers. The hackers accessed credit card information from several hundred thousand guests of company-owned and franchised hotels, which allegedly resulted in $10.6 million in fraud losses.
Wyndham moved to dismiss the complaint on the grounds that the FTC does not have the authority to assert an unfairness claim in the data security context, that the FTC must promulgate regulations before bringing an unfairness claim, and that the FTC did not sufficiently plead allegations to support its unfairness or deception claim, in part because the hotels operated by franchisees are separate entities for which Wyndham is not legally responsible. The district court disagreed with each of Wyndham’s arguments.
Of particular interest to franchisors is the rejection of Wyndham’s contention that “as a matter of law, it [Wyndham] is necessarily a separate entity from Wyndham-branded hotels,” such that each maintain their own computer networks and engage in separate data collection practices. The district court noted that the FTC alleged that Wyndham failed to provide reasonable security for the personal information collected by it and its franchisees, and determined that the allegation was sufficient to withstand a motion to dismiss.
The district court was also not persuaded by Wyndham’s argument that its privacy policy expressly disclaimed responsibility for the security of customer data collected by its franchisees, and applied only “to the extent we control the Information.” Wyndham cited language in its privacy policy that “expressly disclaims making any representations about the security of payment-card data collected by the Wyndham-branded hotels.” The court, however, pointed out other language in the same Wyndham privacy policy that emphasized the “importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests” and stated that it “applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities.” The court found that a reasonable customer might have understood the policy to cover data security practices at both company-owned and franchised hotels to the extent Wyndham controls the information.
Wyndham appealed the decision to the Third Circuit, arguing that the FTC did not have the authority to regulate cybersecurity under the unfairness prong of the FTC Act, and that even if it did, Wyndham did not have fair notice that its specific cybersecurity practices could fall short of that provision. The appellate court found against Wyndham on both issues. In response to Wyndham’s argument that a business does not treat its customers in an unfair manner when the business itself is victimized by criminals, the court found that a company’s conduct need not be the most proximate cause of an injury for the company to be liable for foreseeable harms. And despite the fact that subsequent legislation has given the FTC the authority to regulate cybersecurity in certain instances, the court found the FTC had the general authority to do so under the 100-year old FTC Act as well. The appellate court also had no trouble finding that Wyndham had fair notice of the specific standards that it was required to follow because the policy statement contained within the Act provided the three factors it considers for unfairness claims.
The district court is now free to consider the merits of the FTC’s claims. This case illustrates the difficulty franchisors may have in separating their liability for data security snafus from that of their franchisees, particularly when the franchisor exercises some control, and the franchisor and franchisees share a network or are otherwise susceptible to breaches of each other’s systems. In addition, this case serves as a reminder that businesses should carefully consider what they state in their website privacy policies relative to data security.
Carl Zwisler, IDI country expert for franchising in USA and Maisa Jean Frank, Gray Plant Mooty.
