The old maxim “Bad Facts Make Bad Law” comes to mind when reviewing the Third Circuit Court of Appeals’ precedential opinion and order in FTC v. Wyndham Worldwide Corp., No. 14-3514. Indeed, the Court went to great lengths to emphasize that Wyndham’s alleged cybersecurity lapses were particularly grievous. For example, FTC alleged that Wyndham:
Allowed its hotels to store credit card information in clear, unencrypted, readable text; Allowed the use of easily guessable passwords to access Wyndham’s electronic property management systems; Did not use firewalls; Did not ensure implementation of adequate security policies; Knowingly allowed access to centralized electronic systems by a hotel with an out-of-date system; Failed to adequately restrict third-party vendor access to systems; Failed to employ reasonable measures to detect and prevent unauthorized access; and Did not follow proper incident response procedures in the wake of the first two breaches.
These alleged mistakes were Wyndham’s downfall—and if you ignore the “cost-benefit analysis” applied by the Court in Wyndham, similar mistakes, even if less egregious, could be yours. Wyndham will have far-reaching implications on the cybersecurity practices of virtually every domestic business; it is, without a doubt, a landmark decision in the cybersecurity/FTC enforcement arena that should cause company directors, officers, GCs, CIOs, CISOs, CTOs, IT, IS, and any other personnel responsible for the maintenance and development of cybersecurity policies, programs or procedures to sit up and take immediate notice.
The Court’s unequivocal affirmation of the FTC’s authority under Section 5 of the FTC Act, 15 U.S.C. § 45(a), to regulate the “fairness” of business cybersecurity practices will further embolden the FTC to pursue investigations and related enforcement actions against businesses, but figuring out how to comply with the inherent vagueness of the “cost-benefit analysis” adopted by the Court will be difficult. The decision does little to help companies decide how best to invest in cybersecurity products, policies and procedures to avoid unwanted scrutiny from FTC while protecting their customers, themselves, and their business reputations.
In Wyndham, the Third Circuit found the FTC Act provided fair notice under the Due Process Clause that businesses must conduct a cost-benefit analysis of their cybersecurity practices to determine whether the cost to consumers to invest in stronger cybersecurity outweighed the risk and potential magnitude of “reasonably unavoidable harms to consumers” absent the investment. Seemingly aware that its approval and adoption of a cost-benefit analysis to the complex and constantly-evolving realm of cybersecurity was likely to generate substantial uncertainty for business, the Third Circuit spent the last five or so pages of its opinion in Wyndham pointing to best practices and other pieces of cybersecurity guidance published by the FTC in recent years.
The Court quoted extensively from the FTC’s handbook entitled “Protecting Personal Information: a Guide for Business.” It also presented a side-by-side chart of alleged cybersecurity lapses from the FTC’s complaint in an earlier case and the FTC’s complaint against Wyndham to show how the latter’s alleged conduct potentially violated the FTC Act. And while “recogniz[ing] that it may be unfair to expect private parties back in 2008 to examine FTC complaints or consent decrees,” the Court did note that such information is available on the FTC’s website. The irony of all this is that the Court repeatedly stated in Wyndham that its “fair notice” determination was not based on the FTC’s interpretation of Section 5 as applied to cybersecurity practices, and the Court repeatedly acknowledged that no such official agency interpretation or guidance exists.
Will other courts try and find a way around Wyndham if they perceive a lower level of culpability than that presented by the FTC’s allegations in Wyndham? Will Congress or the Supreme Court eventually have to step in and clarify the FTC’s authority under Section 5 of the FTC Act as it relates to cybersecurity (something Congress has failed to do so far)? And will it make a difference to the FTC or a court if a business has some security measures in place but is still victimized by a breach? What will constitute an “adequate” security policy, “reasonable” measures to detect and prevent unauthorized access, “adequate” restrictions on third-party vendor access, or “proper” incident response procedures?
For now, we suggest you review your own policies, familiarize yourself with the FTC’s website and the common sense guidelines set forth in Protecting Personal Information: a Guide for Business, and, if necessary, implement changes to follow those guidelines.