In a much-anticipated decision last week, the U.S. Court of Appeals for the Third Circuit affirmed the authority of the Federal Trade Commission (“FTC” or the “Commission”) to regulate cybersecurity under the unfairness prong of Section 5 of the FTC Act.
The unanimous three-judge panel upheld an April 2014 decision by Judge Esther Salas of the U.S. District Court for the District of New Jersey which, as loyal blog readers will recall, declined to dismiss the FTC’s case against hospitality industry defendant Wyndham Worldwide Corporation (“Wyndham”).
The interlocutory appeal addressed two questions: (1) whether the FTC has the authority to regulate cybersecurity under the unfairness prong of the FTC Act; and (2) if so, whether Wyndham had fair notice its specific practices could fall short of that standard. According to the Third Circuit, the answer to both questions was yes.
I. The FTC Has Regulatory Authority Over Cybersecurity Issues under Section 5 of the FTC Act
In addressing the first issue, the court was not persuaded by Wyndham’s argument that Congress lacked a reason to pass subsequent legislation – namely the Gramm-Leach-Bliley Act, Children’s Online Privacy Protection Act and Fair Credit Reporting Act – if the FTC already had regulatory authority over cybersecurity issues under Section 5 of the FTC Act, 15 U.S.C. § 45(a). Instead, the court viewed each as having expanded the scope of the FTC’s authority, such as by instructing the Commission to promulgate regulations. Nor did the Third Circuit agree with appellant that the FTC’s prior statements undermined its authority over cybersecurity issues, instead determining that the FTC had merely acknowledged limitations in its ability to require companies to adopt certain information practices.
II. Fair Notice
The Third Circuit found no basis to support a Due Process Clause challenge based on a lack of “fair notice of what is prohibited.” Wyndham argued it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices the FTC Act requires. However, according to the court, “[t]he relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.” FTC v. Wyndham Worldwide Corp., No. 14-3514 at 35 (3rd Cir. Aug. 24, 2015).
Applying this standard, the court rejected the contention that the case should be dismissed on fair notice principles. Where, as here, the case involved a civil statute regulating economic activity, the level of statutory notice required was relatively low. Although characterizing the framework under Section 5 as “far from precise,” the court noted that it involves “a cost-benefit analysis that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” Id. at 39-40.
Implications of the Decision
As reflected by the statement issued by FTC Chairwoman Edith Ramirez immediately following the decision, the Commission views as “critical” its ability to act “on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Although a rehearing en banc may be requested, the panel’s decision is an important victory for the FTC. The decision clears the way for the agency to pursue cybersecurity concerns without regard for “deception,” instead focusing (where necessary) solely on “unfairness.” The opinion likely will herald increased agency activity going forward.