On March 3, 2015, the Third Circuit heard oral argument in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) on the issue of whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act.

This appeal arises out of the District Court’s holding that the unfairness prong of Section 5 provides the FTC with the authority to regulate data security in the private sector.  (Previously reported here).  In its appellate briefs and at oral argument, the FTC argued that the district court got it right, noting that the FTC Act’s legislative history supports a broad unfairness power inclusive of “every manner of consumer harm.”  Wyndham countered that “as a matter of statutory interpretation, whatever unfair trade practices means, it cannot be stretched to mean negligent behavior, . . . or negligent omissions, which allowed criminal activity to take place.”  The Panel – comprised of Judges Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica – did not seem entirely convinced on this issue.  Although the Panel hinted that the Act’s legislative history may not support the FTC’s broad interpretation of the statute, the Judges asked several questions directed at whether the FTC’s ability to regulate unfair practices subsumes allegations of negligent behavior coupled with deceptive public statements about security practices.

The Panel’s questions also addressed whether the FTC can bring a case to federal court without first declaring, either through rulemaking or internal adjudication, that unreasonable cybersecurity practices are unfair.  This issue was significant enough to the Panel that it raised the issue with the parties even prior to oral argument.*  The FTC argued that it can proceed with cybersecurity claims in court without first declaring unreasonable cybersecurity practices unfair.  It analogized this situation to when the FTC pursued claims against telephone companies for “cramming” on consumer phone bills in federal court without first addressing the issue administratively.  Wyndham, on the other hand, argued that the FTC should be required to engage in rulemaking first – though the company also noted its preference for federal court over administrative proceeding.  The Panel ultimately requested additional briefing on this issue, manifesting the Panel’s continuing focus and interest.  Although it is not possible to predict with certainty how the Panel will actually resolve this issue, its questioning did intimate that, at least in this case, “detailed administrative consideration” prior to bringing an enforcement action may have been warranted.

The Panel also asked a number of questions relating to the cybersecurity standards that would apply to the FTC’s claims.  For example, Judge Roth asked whether there are established cybersecurity standards already in existence; if not, should they be developed; and if so, by whom.  Wyndham noted that while two cybersecurity standards do exist – Payment Card Industry (“PCI”) and National Institute of Standards and Technology (“NIST”) – the FTC has not yet adopted any such a standard.  As such, Wyndham argued that the transaction cost of trying to “guess” where the FTC is on reasonable standards is “enormous.”  The FTC countered by pointing to the various complaints and consent decrees as evidence of what constitutes unreasonable security standards – standards that can be difficult to establish given ever-changing technology.  The Panel did not appear wedded to the district court’s finding that the FTC’s evidence of what constituted unreasonable security standards was sufficient to give companies fair notice – “how do companies know when they should be reading them?”

When issued, the Third Circuit’s opinion will be of great interest to us all as it will be the first appellate court decision regarding the FTC’s regulatory authority with respect to  data security practices.

*The Court issued a letter to the parties on February 20, 2015 asking them to address the following at oral argument:

  1. Has the Federal Trade Commission declared that unreasonable cybersecurity practices are “unfair,” 15 U.S.C. § 45(a), through the procedures provided in the Federal Trade Commission Act, 15 U.S.C. §§ 41-48?
  2. Assuming it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)?