Third Circuit Says FTC Can Regulate Corporate Cybersecurity Policies
On August 24, 2015, the Third Circuit issued a precedential ruling affirming the District Court of New Jersey’s denial of Wyndham Worldwide Corporation’s (“Wyndham”) motion to dismiss a suit filed against it by the FTC. In the action, the FTC alleged that Wyndham’s cybersecurity policies amounted to unfair and deceptive practices. The highly anticipated decision in FTC v. Wyndham Worldwide Corp. affirmed the FTC’s authority to regulate corporations' cybersecurity practices and policies under the unfairness prong of Section 5 of the FTC Act.
Wyndham arose from three cybersecurity breaches in 2008 and 2009 in which hackers accessed Wyndham’s network and obtained credit card information from over 69,000 customers. This allegedly caused at least $10.6 million in fraud losses.
As a result of these breaches, the FTC filed suit in the District Court for the District of Arizona claiming that Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. §45(a). At Wyndham’s request, the case was transferred to the District Court for the District of New Jersey. Subsequently, Wyndham filed a Rule 12(b)(6) motion to dismiss both the unfair practice and deceptive practice claims. The District Court denied the motion but certified its decision on the unfairness claim for interlocutory appeal.
The Appellate Court’s three-judge panel reviewed the legal framework of the FTC Act of 1914, which prohibits “unfair methods of competition in commerce.” The Court found that in order to find a practice unfair it must: (1) be substantial; (2) not be outweighed by any countervailing benefits to consumers or competition; and (3) be an injury that consumers could not reasonably have avoided themselves.
Notably, the Court clearly stated there was no implication that Congress intended to exclude cybersecurity under Section 45(a). In doing so, the Court addressed whether the FTC failed to give fair notice of its cybersecurity standards that businesses are required to follow. Wyndham argued that it was entitled to “ascertainable certainty” as to what types of cybersecurity policies are required under Section 45(a). The relevant question, according to the Court, was not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether it had fair notice of what the statute itself required.
The Court found that fair notice is satisfied so long as Wyndham could have reasonably foresaw that a court could construe its conduct as falling within the meaning of the statute. The FTC’s complaint did not allege that Wyndham had weak cybersecurity, but rather that it essentially lacked any real cybersecurity – a fact painfully evident, according to the Court, as Wyndham was hacked three separate times. Accordingly, the Court stated that after at least the second time it was hacked, Wyndham was on notice of the possibility that a court could potentially find its practices fail the cost-benefit analysis required under Section 45(a). Moreover, the Court noted that other options were available to Wyndham to better understand appropriate cybersecurity practices, including a 2007 FTC issued guidebook, entitled Protecting Personal Information: A Guide for Business, in which the agency provided a checklist of practices that constitute a “sound data security plan,” as well as other complaints and consent decrees based on inadequate corporate cybersecurity that could be found on the FTC website. For the above reasons, the Court held that Wyndham had adequate notice that its conduct could fall within the purview of Section 45(a).
In addition to fair notice, the Court also addressed Wyndham’s various arguments relating to the definition of “unfair” practice. The Court rejected Wyndham’s argument that an unfair practice necessarily involves “unscrupulous or unethical behavior”, noting that the Supreme Court had similarly rejected such a requirement in FTC v. Sperry & Hutchinson Co. The Court similarly struck down Wyndham’s argument that a business does not act in an unfair manner when the business itself has been victimized by criminals. The Court noted that while unfairness claims “usually involve actual and completed harms,” claims can also be brought on the basis of likely rather than actual injury. Lastly, the Court was unpersuaded by Wyndham’s reduction ad absurdum argument that if the FTC’s unfairness authority extended to it, then the agency would also have the ability to sue supermarkets that “are sloppy about sweeping up banana peels”. The court noted that if Wyndham were a supermarket, leaving so many banana peels on its floors that 619,000 of its customers fell would hardly suggest that it should be immune from liability under §45(a).
While there is concern that the Wyndham's decision may give the FTC greater latitude with respect to aggressively pursuing companies who are subjected to cyber breaches and requiring organizations to undergo third-party security assessments, avoiding FTC action is typically not that difficult. Historically, the FTC has pursued those businesses that have exceptionally insecure data security and/or failed to maintain reasonable security for consumer data entrusted to them. Since the early 2000’s, the FTC has pursued more than 50 such cases, largely where businesses utterly failed to establish secure systems. Only Wyndham and one other company – which is currently winding down – refused to sign consent decrees with the FTC.
In the wake of Wyndham, companies should be sure their security is consistent with reasonable industry standards. If faced with an FTC action, working with counsel to obtain a favorable settlement may prove to be