Robert M. Langer

Third Circuit Affirms FTC's Ability to Bring Cybersecurity Enforcement Actions

August 31, 2015 Advisory

On August 24th, the United States Court of Appeals for the Third Circuit issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp., affirming a 2014 district court ruling that the Federal Trade Commission ("FTC") has the authority to regulate cybersecurity lapses. The Third Circuit also held that Wyndham – the global hospitality giant -- had fair notice that its cybersecurity practices could fall short of Section 5 of the Federal Trade Commission Act of 1914 (the " FTC Act"), which broadly prohibits unfair or deceptive acts in commerce. As a result of this ruling, companies conducting business in the US should expect the FTC to continue its aggressive regulatory approach against companies that fail to protect consumer data against hackers.

The FTC's case stems from three data breaches involving Wyndham and its hotel subsidiaries during 2008 and 2009, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss. In its complaint, the FTC alleged that Wyndham's privacy policy misrepresented the security practices and controls that the company and its subsidiaries used to protect consumers' personal information, and that its failure to safeguard the information caused substantial consumer injury. The most notable problems alleged by the FTC included the failure to: (1) use firewalls between networks, (2) encrypt stored payment card information; (3) fix known security issues; (4) use industry standard password complexity; and (5) employ reasonable procedures to detect and prevent breaches.

Wyndham moved to dismiss the FTC's lawsuit arguing that the FTC lacked the authority to pursue this type of case and had failed to publish any regulations that would give businesses fair notice of standards for data security. The district court rejected these arguments and further held that the FTC's claim that the differences between promises Wyndham made in its privacy policy and the company's actual data security practices were sufficient to support a claim under the FTC Act.[1] Following the district court's denial of Wyndham's motion to dismiss, the Third Circuit granted appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the FTC Act, and (2) whether Wyndham received fair notice that its cybersecurity practices could fall short of the FTC Act's standard.

In its highly anticipated opinion, the Third Circuit affirmed the district court's ruling and held that the FTC has authority to regulate cybersecurity failures on the basis that they are "unfair" within the meaning of Section 5 of the Act, and that Wyndham was provided fair notice of the regulatory requirements.

Wyndham's main argument against the FTC's ability to use the "fairness" standard of Section 5 of the FTC Act to regulate cybersecurity issues was that a violation of Section 5 required "unscrupulous or unethical" conduct, or, alternatively, conduct that is "not equitable," and that Wyndham had not acted as such. The Third Circuit rejected these arguments holding that there was no judicial authority to support either standard. Moreover, the Third Circuit found that it did not need to address whether Section 5 unfairness requires a finding of inequitable conduct, because Wyndham did not act equitably. According to the Third Circuit, "[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing adequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business."

Wyndham's argument with respect to fair notice was that the FTC's claim under Section 5 violated the Due Process Clause because the FTC had not provided fair notice of the specific cybersecurity standards that Wyndham was required to meet to avoid liability. In rejecting this argument, the Third Circuit first explained that Wyndham was entitled to a lesser degree of notice because, among other reasons, the FTC Act is a civil statute; not a criminal statute. In finding that Wyndham had been provided with adequate notice, the Third Circuit emphasized that Wyndham had been hacked "not one or two, but three, times." The Third Circuit also found that the FTC's 2007 guidebook – which counseled against many of the specific practices instituted by Wyndham – as well as prior FTC cybersecurity settlements bolstered its conclusion that Wyndham was on notice that its practices could violate Section 5 of the FTC Act.

The Wyndham opinion is significant for several reasons. First, it affirms the FTC as the de facto watchdog over cybersecurity failures of companies that conduct business in the US. As a result, in addition to worrying about the consequences of the business disruption and reputational harm following cybersecurity breaches, companies must be prepared for an FTC enforcement action. Second, the Wyndham decision confirms that the FTC can bring enforcement actions based upon unreasonable cybersecurity practices despite the absence of statutory guidance or regulations on what reasonable cybersecurity practices should actually look like. Perhaps in confident anticipation of the Third Circuit's decision (or in response to critiques such as Wyndham's about inadequate notice of what constitutes reasonable cybersecurity practices), the FTC earlier this summer released "Start with Security,[2]" a 10-point overview of lessons businesses can draw from the FTC's 50-plus enforcement actions targeting inadequate cybersecurity. Third, many state analogues to the FTC Act (referred to as "Little FTC Acts") mirror Section 5(a)(1) of the FTC Act and are either "guided by" or give "great weight" to the FTC's interpretations of its own substantive Section 5 authority. Accordingly, the Wyndham decision may embolden both state attorney generals and private litigants alike to utilize these Little FTC Acts to challenge practices comparable to those found suspect in the Wyndham decision. It is very important to note that unlike the FTC Act, which does NOT contain a private right of action, almost every Little FTC Act does authorize private suits, including class actions, attorney fees and, in some cases, even punitive damages.