Following the Third Circuit’s ruling upholding the FTC’s authority to regulate unfair and deceptive cybersecurity practices under Section 5 of the FTC Act, Wyndham Worldwide Corporation and the FTC have agreed to settle. This marks the end to a hotly-contested and closely-watched case at the cross-roads of data security and regulatory enforcement.
As reported in our previous posts on this topic, Wyndham experienced three breaches of its systems in 2008 and 2009 resulting in the exposure of approximately 619,000 consumers’ credit card numbers. The FTC initiated an enforcement action in 2012 alleging that Wyndham engaged in unfair and deceptive cybersecurity practices in violation of Section 5 of the FTC Act. The FTC asserted that Wyndham’s cybersecurity practices were deficient in myriad ways that placed consumer data at risk of theft, for example, by storing payment card information in clear text, using weak and default passwords across networks, failing to install or misconfiguring firewalls, failing to adequately restrict vendor access to corporate networks, and failing to follow appropriate incident response procedures after successive cyberattacks.
In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform. In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.