Can Weak Cybersecurity Be Misleading Advertising?

This summer, the US Third Circuit Court of Appeal’s decision in FTC v Wyndham gave the green light for the Federal Trade Commission's to pursue relief against Wyndham Worldwide and its subsidiaries (“Wyndham”) for unfair and deceptive trade practices.


Wyndham is a hospitality company managing hotels around the world. Between 2008 and 2009, Wyndham was the target of three separate hacking incidents of its computer network, resulting in what the FTC alleged was at least US$10.6million in fraud loss due to over 600,000 consumers having their payment card information compromised. 

In 2012, the FTC filed a formal complaint against Wyndham for failure to have adequate security practices to protect consumers’ personal information, charging it with unfair and deceptive business practices in violation of the Federal Trade Commission Act

The deception claim stemmed from Wyndham’s privacy policy statement, which the FTC alleged misrepresented the security measures Wyndham took to safeguard consumer information such as payment card numbers. Wyndham’s privacy policy stated that the company had adopted “industry standard practices” for the protection of personal information which included security measures such as firewalls, encryption of data, etc.

In 2014, the District Court dismissed Wyndham’s motion to dismiss the FTC action and Wyndham appealed.

The federal appeals court ruled that the FTC does have the authority to regulate and enforce cybersecurity standards under the provisions of the FTC Act. Further, the Court of Appeals was not persuaded by Wyndham’s arguments that it could not be found liable because it was itself a victim of cyber attacks. 

Ultimately, the court found that Wyndham did not act equitably by overstating its privacy policy in order to attract - and profit from - unsuspecting customers who valued the standard of cybersecurity represented by Wyndham through its websites. Based on FTC’s investigation, there was a fundamental disconnect between what was being represented to consumers through Wyndham’s privacy policy, and what the company was actually implementing for security.

Key Takeaway for the Canadian Businesses

Under the Canadian Competition Act, false and misleading advertising which is “material” is prohibited. The Competition Bureau has stated that the “test [for materiality] is not limited to representations which could influence strictly on-line purchases, but includes on-line representations which could influence off-line purchasing decisions as well.” 

In FTC v Wyndham, the FTC argued that consumers could not have booked with another hotel because they had been misled by the privacy policy online. As a result, the privacy policy influenced the decision of consumers to book with Wyndham who, unbeknownst to them, did not have sufficient security practices to protect their personal and payment card information.

This decision is significant for three reasons:

  1. With cyber attacks increasing in frequency and sophistications, businesses should ensure that the information they collect from consumers is adequately protected;
  2. With privacy becoming a major concern for consumers, businesses must ensure that the internal protocols they have in place are accurately stated in their public facing privacy policy; and
  3. With the digital economy being an enforcement priority for the Bureau, businesses should ensure that the privacy/security representations they make are reflected by actual and adequate protocols, employee training, etc. 

For a full copy of the Third Circuit Court of Appeals decision, please click here.