On August 24, 2015, the Third Circuit upheld the Federal Trade Commission’s (FTC’s) authority to challenge deficient cybersecurity practices as “unfair” under the agency’s general authority, in Section 5 of the FTC Act, to regulate “unfair or deceptive acts or practices in or affecting commerce.” The court also ruled that the defendant, the Wyndham hotel chain, had “fair notice” of what the FTC might consider as “unfair” – in part because prior FTC cases had challenged practices similar to Wyndham’s. In June 2012, the FTC brought suit against Wyndham, alleging that the company’s “unfair” cybersecurity practices “unreasonably and unnecessarily exposed” its customers’ data. The FTC’s suit came after three cyberattacks on Wyndham’s networks in 2008 and 2009 resulted in the theft of credit card or other payment information for 619,000 consumers, leading to over US$10 million in losses due to fraud.
The implications of the Third Circuit’s decision are clear:
- companies handling consumer data should establish reasonable privacy and data security practices
- companies should regularly assess and monitor those systems and promptly correct any deficiencies
- companies should pay attention to FTC cases and the kinds of cybersecurity practices that have drawn the FTC’s ire in the past, or face potential enforcement action and liability
As the Third Circuit’s decision was an interlocutory ruling on the fundamental issue of the FTC’s basic statutory authority, the case now returns to the District Court for further proceedings.
The FTC Has Authority to Regulate “Unfair” Cybersecurity Practices
Since 2005, the FTC has brought enforcement actions against companies with allegedly deficient cybersecurity protections. The Third Circuit’s decision in FTC v. Wyndham Worldwide Corporation, Dkt. 14-3514 (3rd Cir. 2015) confirmed the FTC’s authority to rule that substandard cybersecurity practices are “unfair” to consumers. Among the practices that the FTC alleged as unfair in this case: Wyndham’s failure to monitor its system for cyber-attacks; its use of easily-guessed passwords for its administrative system; its failure to use firewalls or other “readily available” security measures; and its failure to take reasonable steps to detect and prevent unauthorized access to its system – even after hackers had gained entry.
The Third Circuit dismissed arguments that in order to be deemed “unfair,” the challenged conduct must be “unscrupulous or unethical.” The court ruled that under the FTC Act and Supreme Court guidance, conduct is “unfair” if it is likely to cause substantial injury to consumers, the injury cannot easily be avoided by consumers, and the potential injury is not outweighed by the benefits of the conduct to consumers or competition.
In its decision, the court emphasized that conduct can be deemed “unfair” even if it does not result in actual harm to consumers, or if the harm results from other, potentially criminal action (such as data theft) undertaken by a third party (here, the hackers).
Wyndham Had “Fair Notice” of the FTC’s Cybersecurity Standards
A critical second finding by the court was that Wyndham had “fair notice” that its cybersecurity practices could be challenged as “unfair” by the FTC for two main reasons. First, the court found that after Wyndham had been “hacked” three separate times, it should have been “on notice of the possibility” that its practices might be so deficient that they could be unfair to consumers, who had no notice of the substandard practices and could not protect themselves from the deficiencies. Secondly, the court found that Wyndham should have known about the FTC’s views concerning minimum standards for safeguarding personal consumer data. The court noted that both general guidance materials issued by the FTC and the FTC’s prior enforcement actions against companies provided Wyndham with adequate notice about the applicable legal standards – especially as some of Wyndham’s challenged practices were similar to practices the FTC had taken action against in prior cases. In the Third Circuit’s view, companies should derive guidance from settled cases as well as from litigated cases, as the FTC’s complaints and consent orders provide guidance on the FTC’s standards for reasonable cybersecurity and privacy protections.
In view of the prior guidance, the Third Circuit rejected Wyndham’s claim that the FTC’s reliance on an undefined “unfairness” standard deprived the company of due process. The court noted that Congress had rejected the notion that it should explicitly define “unfair” practices, instead intending “unfairness” to be a “flexible concept with evolving content” (quoting a 1941 Supreme Court case, FTC v. Bunte Bros., 312 U.S. 349, 353 (1941)). The Third Circuit also rejected Wyndham’s arguments that the FTC’s authority in the cybersecurity area is limited to certain statutory grants of authority, such as under the Fair Credit Reporting Act and the Gramm-Leach Bliley Act. Rather, the court found that while such Acts require the agency to promulgate rules relating to cybersecurity, they do not preclude or limit the FTC’s general authority over “unfair” acts or practices.
The Third Circuit’s decision reinforces the need for companies to examine their data privacy and cybersecurity practices against the FTC’s standards and generally accepted industry standards, while paying heed to the FTC’s actions in the cybersecurity realm.