Bookmark and Share



» Access to Courts and Court Remedies

» Campaign Finance and Election Laws

» Constitutional Rights and Requirements

» Health, Safety, and Environment

» Open Government and Open Courts

» Representing Consumers

» Workers' Rights

Currently Featured Topics

Government Transparency
Consumer Justice
First Amendment
Health, Safety and the Environment


Read about our work helping lawyers
with cases in the Supreme Court.


  Public Citizen | Litigation Cases ***Search other cases***

Federal Trade Commission v. Wyndham Worldwide Corp., et al.

Topic(s): Consumer Justice



The Federal Trade Commission (FTC) filed a civil complaint against Wyndham Worldwide Corporation and affiliated companies (collectively, Wyndham) for failing to implement reasonable data security measures to protect customers’ payment card information. Wyndham’s failure left its network vulnerable to cyber criminals, who accessed Wyndham’s network three times and stole hundreds of thousands of consumers’ information before the FTC filed suit. The FTC asserts that Wyndham engaged in unfair and deceptive practices relating to data security under the FTC Act, 15 U.S.C. § 45. Wyndham moved to dismiss the case.

Public Citizen and Chris Jay Hoofnagle, a lecturer in residence at the University of California, Berkeley School of Law, filed an amicus brief in support of the FTC’s opposition to the motion to dismiss. The brief discussed the substantial harm that consumers are likely to suffer when their financial or other sensitive information is stolen from a company’s computer network. It also explained why FTC enforcement actions such as the one at issue here are critical to redressing the unfair corporate practices that lead to data breaches of consumer information.

The district court denied Wyndham’s motion to dismiss, holding that Section 5 of the FTC Act permits the FTC to bring enforcement actions against companies for unfair or deceptive practices in the data security realm. The court also rejected Wyndham’s alternative argument that the FTC was required to provide notice of its Section 5 authority by promulgating formal regulations before maintaining any enforcement actions.

Wyndham took an interlocutory appeal of the district court’s denial of its motion to dismiss the FTC’s claim that Wyndham’s data security practices constituted an “unfair” practice under Section 5 of the FTC Act. On appeal, Wyndham argued that the FTC’s attempt to regulate corporate data security practices exceeded its statutory authority to regulate unfair business practices, that Wyndham was deprived of fair notice of how the FTC interpreted its regulatory authority with respect to data security, and that no substantial injury occurred to any consumer as a result of the breaches of Wyndham’s computer systems. Public Citizen’s amicus brief explained that the injury to consumers following a corporate data breach includes significant financial, emotional, and time costs, and explained that past FTC enforcement actions involving corporate data security practices similar to those Wyndham is alleged to have maintained provide fair notice of the FTC’s interpretation of its regulatory authority in this area and are critical to protecting consumers. The Third Circuit affirmed the Federal Trade Commission's authority to regulate companies' data security in rejecting Wyndham Worldwide Corp.'s argument that Congress had never intended for the commission to be able to use its unfairness authority to police such practices.

Copyright © 2017 Public Citizen. Some rights reserved. Non-commercial use of text and images in which Public Citizen holds the copyright is permitted, with attribution, under the terms and conditions of a Creative Commons License. This Web site is shared by Public Citizen Inc. and Public Citizen Foundation. Learn More about the distinction between these two components of Public Citizen.

Public Citizen, Inc. and Public Citizen Foundation


Together, two separate corporate entities called Public Citizen, Inc. and Public Citizen Foundation, Inc., form Public Citizen. Both entities are part of the same overall organization, and this Web site refers to the two organizations collectively as Public Citizen.

Although the work of the two components overlaps, some activities are done by one component and not the other. The primary distinction is with respect to lobbying activity. Public Citizen, Inc., an IRS § 501(c)(4) entity, lobbies Congress to advance Public Citizen’s mission of protecting public health and safety, advancing government transparency, and urging corporate accountability. Public Citizen Foundation, however, is an IRS § 501(c)(3) organization. Accordingly, its ability to engage in lobbying is limited by federal law, but it may receive donations that are tax-deductible by the contributor. Public Citizen Inc. does most of the lobbying activity discussed on the Public Citizen Web site. Public Citizen Foundation performs most of the litigation and education activities discussed on the Web site.

You may make a contribution to Public Citizen, Inc., Public Citizen Foundation, or both. Contributions to both organizations are used to support our public interest work. However, each Public Citizen component will use only the funds contributed directly to it to carry out the activities it conducts as part of Public Citizen’s mission. Only gifts to the Foundation are tax-deductible. Individuals who want to join Public Citizen should make a contribution to Public Citizen, Inc., which will not be tax deductible.


To become a member of Public Citizen, click here.
To become a member and make an additional tax-deductible donation to Public Citizen Foundation, click here.