In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers’ payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission’s broad interpretation of its “unfairness” authority (opinion here). The ruling ratifies the FTC’s authority in the domain of data security, and will allow the FTC to continue to seek settlements from companies that suffer data breaches when they fail to take adequate precautions to protect sensitive consumer data.
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” For a decade, the FTC has taken enforcement actions against companies suffering data breaches, alleging that their security practices were insufficient, and that the insufficiency was unfair under Section 5. In 2008 and 2009, Wyndham suffered three data breaches that led to the unauthorized release of personal information for hundreds of thousands of customers. The FTC filed a complaint in District Court alleging that Wyndham engaged in unfair practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Wyndham challenged the FTC’s interpretation, arguing that conduct can only be unfair if it injures consumers through unscrupulous or unethical behavior, or if the behavior is inequitable or marked by injustice, partiality, or deception. The company further pointed to subsequent legislation to suggest that specific grants of authority to the FTC in the area of data security (such as through the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act) indicate the absence of general cybersecurity authority for the FTC. Finally, Wyndham argued that even if its conduct was unfair, the FTC failed to give adequate notice of what security standards would be imposed on it. The District Court denied Wyndham’s motion to dismiss, but certified its decision on the unfairness claim for interlocutory appeal.
The Third Circuit affirmed the District Court’s decision, finding that the FTC’s allegations met the criteria for unfairness under Section 5. Specifically, the court concluded that to be unfair, conduct must be substantial, not outweighed by countervailing benefits to consumers, and the injury caused could not have reasonably avoided by consumers. The Court further found that subsequent legislation did not limit the FTC to specific grants of authority. The Third Circuit agreed with Wyndham that the company was entitled to some notice of what was required, but it found adequate notice through at least three factors: (1) a cost-benefit analysis “that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity,” would provide notice to Wyndham of what measures the FTC Act required; (2) the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Business (2011 update here), provided a checklist of practices that would create a “sound data security plan;” and (3) a number of administrative cases filed by the FTC addressed inadequate data security practices, and the allegations in “at least four or five complaints have close corollaries here.” Those common allegations include:
- Storing payment card information in clear, readable text;
- Failing to assess and monitor network vulnerabilities and defenses (in Wyndham’s case, the same intrusion methods were used multiple times);
- Failing to require robust user ID and password combinations;
- Failing to use readily available security features, such as firewalls;
- Failing to employ reasonable measures to detect and prevent unauthorized access to systems or to conduct security investigations.
The FTC’s win here is robust, although it may be challenged if Wyndham chooses to appeal to the Supreme Court. Until another court finds differently, the Third Circuit’s opinion stands as a strong message to companies to pay close attention to the FTC’s guidance on data security, engage in thorough and rigorous exercises to assess the security of the sensitive data they maintain, and fortify their protections. Even in the absence of FTC authority, state laws, class action lawsuits, and attorneys’ general enforcement actions should push companies to stay on top of data security. Robust security measures, when properly implemented and maintained, are indeed an asset in the current seemingly insecure age.