The US Court of Appeals for the Third Circuit recently issued a ruling in favor of the Federal Trade Commission (FTC) in FTC v. Wyndham Worldwide Corporation in which the court found that the FTC has the authority to regulate cybersecurity under the unfairness prong of the FTC Act.

On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation’s computer systems and stole personal and financial information relating to hundreds of thousands of consumers. The FTC filed suit against Wyndham in federal district court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. Wyndham argued that the FTC did not have the authority to regulate cybersecurity under the unfairness prong of §45(a) and that it did not have fair notice that its specific cybersecurity practices could fall short of that provision.

The FTC Act prohibits unfair methods of competition in commerce. The court stated that under the amendments to the act, the FTC could deem a practice unfair “if the practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The court then went on to state that “a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

 

Regarding Wyndham’s fair notice argument, the court concluded that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity standards are required by §45(a). Instead, the relevant question was whether Wyndham had fair notice that its conduct could fall within the fair meaning of the statute. The Third Circuit rejected Wyndham’s fair notice challenge, stating that the relevant rule is not so vague as to be no rule or standard at all. Further, the court stated that in 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Businesses, which describes a checklist of practices that form a “sound data security plan.” The court stated that the guidebook could have helped Wyndham determine in advance that its conduct might not survive a standard cost-benefit analysis of investing in stronger cybersecurity protections given the probability and the size of harm to customers.

Although the FTC has been bringing administrative actions under §45(a) against companies with allegedly deficient cybersecurity standards since 2005, the vast majority of such cases ended in settlements and consent orders. The Third Circuit notes that, although the consent orders focus on prospective conduct and are “of little use” in understanding the specific requirements of §45(a), the FTC’s complaints in these actions paint a picture of security practices that the FTC deems violative of the statute.

The case further highlights the need for companies to take care in crafting the terms of their privacy policies to ensure that the promises made in such policies are reasonably complete and accurate. Although the Third Circuit did not directly analyze the FTC’s deceptive practices claim, the opinion states that facts relevant to unfairness and deception claims frequently overlap. Therefore, companies must be careful that their privacy policies are not deceptive. For example, if a company’s privacy policy states that the company safeguards personally identifiable information by using industry standard practices, then the company should be familiar with ever-evolving industry standard security practices, such as encryption, firewalls, and other commercially reasonable methods for protecting consumer information. Further, if the company collects personally identifiable information, it should keep abreast of any guidelines that the FTC issues about protecting such information and the latest security settlements and consent orders that the FTC posts on its website.