Third Circuit Court of Appeals Panel Holds That the Federal Trade Commission Has Authority to Regulate Cybersecurity Deficiencies as an Unfair Trade Practice
On August 24, 2015, a Third Circuit Court of Appeals panel in Federal Trade Commission v. Wyndham Worldwide Corp et al.,1 unanimously upheld an April 2014 district court ruling that the Federal Trade Commission (FTC) may bring enforcement actions against companies that do not adequately protect consumer information from cybersecurity breaches under the FTC’s authority to address unfair trade practices. The panel rejected Wyndham’s claim that it did not have fair notice as to what cybersecurity practices would be deemed inadequate by the FTC. The case solidifies the FTC’s authority as a key regulator of companies’ data security practices.
According to the FTC’s complaint, in 2008 and 2009, the computer systems of Wyndham Worldwide Corporation (Wyndham) were hacked in three separate instances, leading to the loss of credit card information and other personal details of 619,000 consumers and over $10.6 million in fraudulent charges.2 In June 2012, the FTC brought suit against Wyndham, alleging that the company’s computer systems “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”3 The complaint cited as deficient cybersecurity practices such as failure to address known security vulnerabilities in Wyndham’s servers and unencrypted storage of credit card information. Wyndham moved to dismiss the suit, challenging the FTC’s authority to bring the action under Section 5 of the Federal Trade Commission Act of 1914, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”4 In April 2014, the District Court in New Jersey rejected Wyndham’s arguments and denied Wyndham’s motion to dismiss, but certified its decision for interlocutory appeal. The Third Circuit granted Wyndham’s application for appeal on two issues: (a) whether the FTC has authority to regulate cybersecurity under the unfairness prong of Section 5; and, if so, (b) whether Wyndham had fair notice that its specific cybersecurity practices could fall short of the requirements of that provision.
THE THIRD CIRCUIT’S DECISION
In construing the concept of unfairness under Section 5, the Third Circuit traced the evolution of the FTC’s unfairness jurisdiction to the current statutory description that the FTC may not declare a practice unfair “unless . . . the practice causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable . . . and not outweighed by countervailing benefits.”5 The court rejected Wyndham’s argument that these three requirements of Section 5 are necessary but not sufficient conditions for the FTC to declare a particular act or practice an unfair trade practice. The court held that even if there are additional elements beyond the three set forth in Section 5, the FTC’s complaint had satisfied many of the requirements put forward by Wyndham, and the court was not persuaded by Wyndham’s arguments as to the additional requirements. Crucially, the court rejected Wyndham’s argument that a business could not treat its customers in an “unfair” manner when the business itself was a victim of criminal conduct. Rather, citing general principles of tort law, the court held that a company’s conduct did not need to be the “most proximate cause” of an injury, as long as the injury was foreseeable.6 Thus, Wyndham could not avoid liability even if the conduct of third party hackers was a more proximate cause of the harm to consumers or because the conduct of the third party was criminal. The court pointed out that, for good reason, Wyndham did not argue the cybersecurity breaches were unforeseeable, suggesting that with respect to the second and third attacks, the argument would have been implausible. The court further endorsed a theory that even a theoretical determination that an action or practice is likely to cause substantial injury is sufficient to meet the standard under the FTC Act: “[a]lthough unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury.”7
Wyndham argued that the FTC’s suit was an overreach of authority, and that if the court sanctioned the action, it would be akin to allowing the FTC to regulate hotel room door locks or sue supermarkets for failing to sweep up banana peels. The court characterized this reasoning as “alarmist to say the least,” and responded that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”8 The court concluded that it was “not persuaded by Wyndham’s arguments that [its] alleged conduct falls outside the plain meaning of ‘unfair.’”9
Turning to Wyndham’s due process challenge, the court said Wyndham was contending that the FTC needed to provide “fair notice” of the “specific cybersecurity standards the company was required to follow.”10 The court rejected this argument, reviewing the different legal standards that apply in various circumstances (criminal liability, civil liability, penalties, or agency economic regulation) for determining when a defendant has “fair notice” of what conduct will lead to liability. According to the opinion, a heightened standard of “ascertainable certainty” is required when the agency’s interpretation of a statute is accorded deference. This is because the agency’s interpretation does not have to be the “best” one, only a “reasonable” one. The panel noted that there was no FTC rule or adjudication about cybersecurity to which the court would provide deference – at least not at this stage of the litigation. Accordingly, it was left to the courts and not the FTC to determine whether Wyndham’s conduct was unfair within the meaning of Section 5. The court then concluded that Wyndham was “not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by Section 5(a). Instead, the relevant question . . . is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.”11
The court then proceeded to reject Wyndham’s argument that it lacked notice of what specific cybersecurity practices were necessary to avoid liability. The court noted that Wyndham is entitled to a relatively low level of statutory notice, because the relevant statute is civil, rather than criminal, and that the statute balances reasonably unavoidable consumer harm against countervailing benefits from the practice. The court characterized this as a cost-benefit analysis of the probability and expected size of the harm at a given level of cybersecurity protection against the costs that consumers would bear from increased cybersecurity investments, and said Wyndham should have understood the need for such an inquiry.
The Third Circuit then reasoned that “it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.”12 The court pointed to the allegations of the FTC’s complaint – assumed to be true at this stage of the litigation – emphasizing that the FTC did not allege that Wyndham used weak firewalls, encryption, or IP address restrictions, but rather, that Wyndham used no firewalls at critical network points, no encryption for certain files, and no restrictions for specific IP addresses at all.13 The panel further noted its conclusion that Wyndham had “fair notice” was “reinforced” because FTC had previously issued a guidebook detailing best practices for a sound data security plan and had brought several similar complaints and entered into consent decrees in administrative cases raising unfairness claims in the corporate cybersecurity context. The court concluded that, in sum, it had “little trouble rejecting Wyndham’s fair notice claim.”14
Notwithstanding growing concerns following a number of high-profile cybersecurity breaches, Congress has yet to adopt broad federal legislation governing data security. Despite this absence, the FTC since 2002 has brought more than 50 cases against companies for unfair or deceptive practices that endanger the personal data of consumers. The Third Circuit’s decision here affirms the FTC’s authority to proceed against businesses that have cybersecurity practices that the FTC deems inadequate, even in the absence of Congressional guidance or detailed regulatory standards. Moreover, enforcement actions may proceed even without affirmative misrepresentations.15 The court’s decision therefore counsels in favor of stronger security practices to protect against data breaches and consumer losses and vigilant attention to the adequacy of those practices, and it means that enforcement actions by the FTC and other agencies16 will continue to play a central role in cybersecurity regulation. Furthermore, in ruling that the FTC’s informal guidance and past complaints and consent decrees in administrative cases provided Wyndham fair notice of what conduct is permissible under the cost-benefit analysis, the Third Circuit implicitly endorsed the role that these sources play in establishing the baseline standard for cybersecurity preparedness. Companies would do well to remain apprised of developments in enforcement actions, assessment tools and best practice guides, and consider how they may apply in their cybersecurity planning.