On August 24, 2015, the Third Circuit held that the Federal Trade Commission (FTC) could move forward with its enforcement actions against Wyndham Worldwide Corporation, a hospitality company that experienced three cybersecurity attacks in 2008 and 2009 resulting in the disclosure of confidential payment information for over 619,000 consumers and at least US$10.6 million in fraud loss. The court held that the FTC has authority to regulate cybersecurity under Section 45(a) of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The court further held that Wyndham had fair notice that its specific cybersecurity practices could fall short of Section 45(a), rejecting Wyndham’s claim that it was entitled to notice of the specific cybersecurity practices required by that statute. In discussing why Wyndham had proper notice that its practices could be inadequate, the court in part cited both a 2007 FTC guidebook that contained a checklist of practices that form a “sound data security plan” and the FTC’s history of filing complaints and entering consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity.