This summer, the US Third Circuit Court of Appeal’s decision in FTC v Wyndham gave the green light for the Federal Trade Commission's to pursue relief against Wyndham Worldwide and its subsidiaries (“Wyndham”) for unfair and deceptive trade practices.
Wyndham is a hospitality company managing hotels around the world. Between 2008 and 2009, Wyndham was the target of three separate hacking incidents of its computer network, resulting in what the FTC alleged was at least US$10.6million in fraud loss due to over 600,000 consumers having their payment card information compromised.
In 2012, the FTC filed a formal complaint against Wyndham for failure to have adequate security practices to protect consumers’ personal information, charging it with unfair and deceptive business practices in violation of the Federal Trade Commission Act.
In 2014, the District Court dismissed Wyndham’s motion to dismiss the FTC action and Wyndham appealed.
The federal appeals court ruled that the FTC does have the authority to regulate and enforce cybersecurity standards under the provisions of the FTC Act. Further, the Court of Appeals was not persuaded by Wyndham’s arguments that it could not be found liable because it was itself a victim of cyber attacks.
Key Takeaway for the Canadian Businesses
Under the Canadian Competition Act, false and misleading advertising which is “material” is prohibited. The Competition Bureau has stated that the “test [for materiality] is not limited to representations which could influence strictly on-line purchases, but includes on-line representations which could influence off-line purchasing decisions as well.”
This decision is significant for three reasons:
- With cyber attacks increasing in frequency and sophistications, businesses should ensure that the information they collect from consumers is adequately protected;
- With the digital economy being an enforcement priority for the Bureau, businesses should ensure that the privacy/security representations they make are reflected by actual and adequate protocols, employee training, etc.