Detailed narrative of event

Detailed Narrative of Events¶

(Extended Documentation for the FTC v. Wyndham Worldwide Corp. Case Study)

Table of contents¶

Overview
Pre-enforcement environment (as alleged)
Alleged intrusions and harm (2008–2009)
FTC enforcement and motion practice (2012–2015)
Third Circuit opinion (2015)
Stipulated order (2015)

Overview¶

The FTC sued Wyndham-related hospitality entities in federal court, alleging that inadequate cybersecurity contributed to three payment-card intrusions between 2008 and 2009 affecting consumers’ payment card data across many Wyndham-branded hotel properties. The litigation produced a landmark Third Circuit decision on the FTC’s authority to pursue unfairness claims based on alleged data security failures under Section 5 of the FTC Act, including discussion of fair notice.

The matter concluded with a stipulated order for injunction entered December 11, 2015, requiring a comprehensive information security program and long-running assessment obligations focused on cardholder data and risks arising from network connections between franchised properties and corporate systems.

Pre-enforcement environment (as alleged)¶

Wyndham operated a franchised and managed hotel model. Individual properties used property management systems for payment card transactions and stored card data and related information. According to the complaint and the Third Circuit opinion, property environments allegedly connected to corporate networks in ways that created shared attack surface if segmentation, access control, and monitoring were insufficient.

Alleged intrusions and harm (2008–2009)¶

According to publicly alleged facts discussed in the Third Circuit decision, intruders repeatedly compromised Wyndham’s environment between 2008 and 2009, including by exploiting weaknesses at the property level and leveraging connectivity to reach corporate systems, exporting large volumes of payment card data. Public materials describe fraudulent charges totaling in the millions of dollars and allege that known deficiencies were not adequately remediated between incidents.

FTC enforcement and motion practice (2012–2015)¶

In 2012, the FTC filed a federal complaint seeking injunctive relief (Federal Trade Commission v. Wyndham Worldwide Corporation, et al., D.N.J.). Wyndham challenged the FTC’s authority and the sufficiency of the claims. The district court denied Wyndham’s motion to dismiss in 2014, allowing the case to proceed. Wyndham sought interlocutory review in the Third Circuit.

Third Circuit opinion (2015)¶

In August 2015, the Third Circuit affirmed the district court in Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). The court held that the FTC could pursue unfairness claims based on alleged cybersecurity failures under Section 5 (subject to Section 5(n) limitations) and addressed fair notice in the cybersecurity context. The decision is widely cited for FTC jurisdiction over unreasonable data security practices affecting commerce.

Stipulated order (2015)¶

In December 2015, the FTC and Wyndham filed a Stipulated Order for Injunction resolving the enforcement action. The order requires Wyndham to implement and maintain a comprehensive information security program for payment card data, with explicit attention to risks from network connections between Wyndham-branded hotels and Wyndham’s corporate network, and includes PCI DSS–related assessments and additional obligations described in the order text (Matter Nos. 1023142 / X120032 in public filings).