Third Circuit Affirms FTC's Ability to Bring Cybersecurity Enforcement Actions
On August 24th, the United States Court of Appeals for the Third Circuit issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp., affirming a 2014 district court ruling that the Federal Trade Commission ("FTC") has the authority to regulate cybersecurity lapses. The Third Circuit also held that Wyndham – the global hospitality giant -- had fair notice that its cybersecurity practices could fall short of Section 5 of the Federal Trade Commission Act of 1914 (the " FTC Act"), which broadly prohibits unfair or deceptive acts in commerce. As a result of this ruling, companies conducting business in the US should expect the FTC to continue its aggressive regulatory approach against companies that fail to protect consumer data against hackers.
In its highly anticipated opinion, the Third Circuit affirmed the district court's ruling and held that the FTC has authority to regulate cybersecurity failures on the basis that they are "unfair" within the meaning of Section 5 of the Act, and that Wyndham was provided fair notice of the regulatory requirements.
Wyndham's argument with respect to fair notice was that the FTC's claim under Section 5 violated the Due Process Clause because the FTC had not provided fair notice of the specific cybersecurity standards that Wyndham was required to meet to avoid liability. In rejecting this argument, the Third Circuit first explained that Wyndham was entitled to a lesser degree of notice because, among other reasons, the FTC Act is a civil statute; not a criminal statute. In finding that Wyndham had been provided with adequate notice, the Third Circuit emphasized that Wyndham had been hacked "not one or two, but three, times." The Third Circuit also found that the FTC's 2007 guidebook – which counseled against many of the specific practices instituted by Wyndham – as well as prior FTC cybersecurity settlements bolstered its conclusion that Wyndham was on notice that its practices could violate Section 5 of the FTC Act.
The Wyndham opinion is significant for several reasons. First, it affirms the FTC as the de facto watchdog over cybersecurity failures of companies that conduct business in the US. As a result, in addition to worrying about the consequences of the business disruption and reputational harm following cybersecurity breaches, companies must be prepared for an FTC enforcement action. Second, the Wyndham decision confirms that the FTC can bring enforcement actions based upon unreasonable cybersecurity practices despite the absence of statutory guidance or regulations on what reasonable cybersecurity practices should actually look like. Perhaps in confident anticipation of the Third Circuit's decision (or in response to critiques such as Wyndham's about inadequate notice of what constitutes reasonable cybersecurity practices), the FTC earlier this summer released "Start with Security," a 10-point overview of lessons businesses can draw from the FTC's 50-plus enforcement actions targeting inadequate cybersecurity. Third, many state analogues to the FTC Act (referred to as "Little FTC Acts") mirror Section 5(a)(1) of the FTC Act and are either "guided by" or give "great weight" to the FTC's interpretations of its own substantive Section 5 authority. Accordingly, the Wyndham decision may embolden both state attorney generals and private litigants alike to utilize these Little FTC Acts to challenge practices comparable to those found suspect in the Wyndham decision. It is very important to note that unlike the FTC Act, which does NOT contain a private right of action, almost every Little FTC Act does authorize private suits, including class actions, attorney fees and, in some cases, even punitive damages.