There are a multitude of federal laws such as HIPAA and Gramm-Leach-Bliley that impose penalties for failure to protect certain types of client data in certain circumstances, and even states have gotten in the act with Kentucky providing a private right of action for consumers affected by data breach. To date, however, there is no comprehensive federal legislation designed to safeguard sensitive client data in all circumstances. The Federal Trade Commission feels otherwise, recently invoking the Federal Trade Commission Act of 1914 ("the Act") to argue that failure to protect client data is an unfair or deceptive business practice in violation of the Act. In the case of FTC v. Wyndham Worldwide Corporation¸ the Third Circuit agreed.

Between 2008 and 2009, Wyndham Worldwide ("Wyndham") was the target of three cyberattacks compromising the payment data of over 619,000 clients, resulting in at least $10.6 million in fraud loss. The company had posted a privacy policy on its website that overstated the company's cybersecurity. The FTC sued Wyndham on counts of deceptive practices for overstating the claims of cybersecurity and unfair practices for failing to safeguard client data.

The argument that failure to protect client data is an unfair business practice is not as large of an intellectual leap as it may seem. 12 U.S. Code § 45, in subsection (n), specifies that an "act or practice" is unfair when it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." Wyndham argued that even though these three criteria statutorily seem to create a claim for an unfair business practice, the plain meaning of the word "unfair" implies that there must be more to such a claim that just acts that cause injuries to consumers that consumers cannot prevent. The Third Circuit Court of Appeals disagreed, holding that the FTC can address inadequate cybersecurity practices.

This decision is a watershed moment for corporate liability for data breach. Any companies that are subject to FTC jurisdiction are now potentially liable for failure to adequately protect consumer data, and no agency rules, regulations or guidance is necessary. Only FTC enforcement will provide any sort of notice as to what the agency is looking for, following a soft "I know it when I see it" line rather than black letter law. The FTC is taking its consumer protection mandate in new directions to protect consumers from the consequences of poor cybersecurity, and companies that store sensitive client data should look on this decision as the first shot in an expanded regulatory war over how such data is stored and protected. The attorneys of McBrayer can help companies prepare data security policies and inform companies about liability that can occur from data breach.