Following supplemental briefings recently filed in the FTC v. Wyndham case, the U.S. Third Circuit Court of Appeals is expected to determine the scope of the Federal Trade Commission‘s (“FTC”) authority over unfair trade practices in the arena of cybersecurity.
This is the latest development in the case that began back in 2012, when the FTC sued the global hotel company Wyndham for failing to adequately safeguard its computer network, thereby allowing hackers to access customer information between 2008 and 2009. The FTC charged Wyndham with violating both the deception and unfairness provisions in the FTC Act, while Wyndham’s basic argument in response was that the FTC lacks authority to regulate and supervise cybersecurity practices. The Court is now to determine whether the FTC’s authority over “unfair or deceptive acts or practices in or affecting commerce” includes cybersecurity practices.
The Wyndham case demonstrates how businesses suffering data breaches, may end up having to litigate on multiple fronts. Hence, while Wyndham had to defend itself against the shareholder derivative action, it also found itself facing an FTC action. In this case, Wyndham’s directors supported the company as it defended its conduct and procedures before the FTC. However, they were also required to justify their fiduciary duties in order to assess whether the breaches were the result of negligent or reckless conduct by Wyndham’s officers, which may have required the company to file its own civil action against its officers.