Third Circuit Rules in Favor of FTC Having Authority to Regulate Data Security

On August 24, in FTC v. Wyndham Worldwide Corp., the Third Circuit Court of Appeals found that the FTC had authority to regulate cyber security under the “unfairness” prong of Section 5 of the Federal Trade Practices Act. The background of the case is this: On three (3) occasions in 2008 and 2009 hackers successfully penetrated Wyndham Worldwide Corporation’s computer network. These three data security breaches resulted in the theft of personal and financial information of hundreds of thousands of consumers, leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit against Wyndham alleging that Wyndham’s lack of sufficient cyber security was an unfair practice. Wyndham tried to dismiss the case at the District Court level, but their Motion was denied. This ruling was appealed to the Third Circuit. The Third Circuit upheld the District Court’s ruling, thereby strengthening the FTC’s ability and authority to regulate cyber security, and issue fines and penalties against companies for insufficient security measures.

Section 5 of the Federal Trade Practices Act (the “Act”)is a Pre-WW II statute that gives the FTC the authority to challenge “unfair or deceptive act[s] or practice[s]”. Over the years, the FTC has used this provision to challenge various business practices that they deemed “unfair”. Although the Act was adopted well before we had the internet, and data cyber security issues, the FTC has used this provision to regulate and penalize businesses when they deemed a business to have insufficient cyber security provisions in place. Wyndham challenged the FTC, and argued that the unfair trade practices prong of the Act did not give the FTC authority to regulate cyber security. Wyndham also argued that the term “unfair trade practices” was so vague that they did not have fair notice as to what cyber security measures were required to satisfy the statute.

The Third Circuit first addressed the issue of whether the Act gave the FTC authority to regulate cyber security. In answering this question in favor of the FTC, the Court stated that the prior use, and the interpretation of the term “unfairness” was sufficient to bring cyber security, and Wyndham’s conduct within the plain meaning of the term “unfair”. Since this conduct came within the meaning of the term “unfair”, and the FTC could regulate “unfair” conduct, the FTC had the authority to regulate Wyndham’s cyber security practices.

The Court next addressed whether Wyndham had sufficient or “fair” notice of what is prohibited, or what cyber security practices were required, so as not to engage in unfair practices. The Court stated that Wyndham had fair notice if they could reasonably foresee that a court could construe their conduct as falling within the meaning of the statute. The Court found that based on the facts of the case, Wyndham had fair notice that their conduct could be considered an unfair trade practice. The Court noted that Wyndham had been hacked not just once, but three times. In certain areas of cyber security, it was alleged that Wyndham did not just use weak cyber security measures, but no cyber security measures at all. For example, it was not alleged that Wyndham used weak firewalls, but that they failed to use any firewalls at critical network points.

The Court also noted that in 2007 the FTC issued a guidebook, “Protecting Personal Information: A Guide for Business”, which counseled against many of the specific practices in which Wyndham allegedly engaged. Lastly, prior to the attacks against Wyndham, the FTC had filed complaints and entered into consent decrees with other companies raising unfairness claims based on inadequate corporate cyber security. These facts were sufficient to show that Wyndham had fair notice that their cyber security practices could be in violation of the unfair trade practices prong of the Act.

The takeaway from this case, is that it will be difficult to challenge FTC’s regulatory authority in the field of cyber security. Although the ruling did not specifically address the FTC’s authority to address privacy practices under the “deceptive trade practices” portion of the Act, it is my opinion it will be similarly difficult to challenge the FTC’s authority in this area. Another takeaway is to pay attention to guides or “best practice” type material issued not only by the FTC, but by NIST, the FDA and similar agencies, when it comes to security and privacy. Although this material does not carry the authority of a statute, or regulation, a court might weigh such information heavily when deciding if a business followed sufficient security and privacy practices.

Written by: Richard Sheinis, Esq.