FTC Need Not Provide Specific Cybersecurity Standards for Businesses
In a long-awaited ruling in Federal Trade Commission v. Wyndham Worldwide Corp., the Third Circuit rejected Wyndham’s argument that the FTC has no authority to regulate its cybersecurity practices under the unfairness prong of the FTC Act and that businesses are not entitled to notice of the specific cybersecurity standards they must follow.
Unfair Cybersecurity Practices
In 2008 and 2009, hackers successfully accessed Wyndham’s computer systems and stole personal and financial information for more than 619,000 consumers in three different attacks that led to more than $10.6 million in fraudulent charges.
In its opinion, the Third Circuit first rejected Wyndham’s argument that the plain meaning of the word “unfair” imposes independent requirements that are not met. Instead, it held that Wyndham’s alleged conduct does not fall outside the plain meaning of the word “unfair.”
It also dismissed Wyndham’s argument that it cannot treat its customers in an unfair manner when its own business was victimized by criminals because the FTC Act expressly contemplates the possibility that conduct can be unfair before an actual injury occurs. As such, the Third Circuit held that Wyndham’s alleged conduct fell within the unfairness prong of the FTC Act.
The Third Circuit also rejected Wyndham’s argument that it was entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by the FTC Act. The Third Circuit held that by Wyndham’s own admission, this case involved the ordinary judicial interpretation of a civil statue and therefore, a low level of statutory notice was required. Moreover, the FTC Act is not so vague as to have no rule or standard by which Wyndham could comply.
Instead, the Third Circuit held that the key question is whether Wyndham had fair notice of the statute itself. That standard is satisfied if the company can reasonably foresee that the court can construe its conduct as falling within the meaning of the statute. While it may have been unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees, in this case, Wyndham did not argue that it was not aware of the published FTC complaints or consent decrees. Instead, it only argued that it didn’t have specific notice of what the law requires.
This decision reflects the importance of having robust cybersecurity practices and policies tailored to a business’ individual needs. For businesses regulated under the Health Insurance Portability and Accountability Act (“HIPAA”), it is important to note that the FTC maintains that it has the authority to enforce the FTC Act against a healthcare entity, even if the entity is also subject to HIPAA’s breach notification policies and HHS enforcement (although this position has never been tested before a court). In practice, the FTC has initiated enforcement actions against healthcare entities in a limited number of cases. Nevertheless, healthcare entities should also be mindful that the Wyndam decision could apply to them and that they, too should implement robust cybersecurity practices to comply with the FTC Act as well as HIPAA.