In a unanimous decision, the U.S. Court of Appeals for the Third Circuit upheld the Federal Trade Commission’s (“FTC”) authority to bring actions against companies for failure to adequately protect consumer information from data breaches. Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 14-3514 (3d Cir. Aug. 24, 2015). The decision is the first time a court has opined on the scope of the FTC’s authority, and it solidifies the FTC’s position as a regulator of corporate data security standards. It also is another reminder of the critical need for all companies to establish, update, and follow their data privacy standards.
The action stemmed from Wyndham Worldwide Corp.’s (“Wyndham”) allegedly faulty cybersecurity measures from 2008 and 2009, during which three separate hacking episodes occurred. Hackers broke into Wyndham’s computer network and stole unencrypted data from at least 619,000 consumers. The resulting loss was $10.6 million. The complaint explained that during the time of the hacking, Wyndham licensed its name to more than 90 independently-owned hotels, all of which had individual computer systems that connected to a central computer network located in Phoenix, Arizona. The stored information included names, addresses and credit card information.
“Industry Standard Practices”
Wyndham published a cybersecurity policy on its website in 2008, claiming customer information was property encrypted, firewall-protected, and that Wyndham operated multiple security systems. According to the FTC, Wyndham was not protecting this information as it stated. In a litany of not-to-do practices, the FTC alleged that Wyndham allowed the storage of credit card information in readable text, did not use firewalls, and many Wyndham hotels were allowed to connect to the central computer network without adequate cybersecurity precautions. In addition, several hotels ran out-of-date operating systems lacking security updates and did not restrict third party vendor access to the network. Wyndham also did not monitor its networks for malware used in a previous hack, which was reused by hackers. In sum, the FTC claimed Wyndham did not employ commercially reasonable measures to protect consumer data and falsely conveyed it followed “industry standard practices,” violating the FTC’s requirements that companies “say what you do, and not what you say” when it comes to privacy and data security practices.
In June 2012, the FTC filed its action and alleged that Wyndham engaged in both unfair and deceptive practices. Wyndham moved to dismiss the suit’s unfair and deceptive practices claims. The District Court denied Wyndham’s motion but certified the unfairness claim for appeal.
A Business Can be a Victim… and a Violator
The Third Circuit rejected Wyndham’s argument that its data security practices were not included in the definition of an “unfair and deceptive practice.” First, it traced the early history of unfair practices through Congress and FTC enforcement. In doing so, the Court ruled that the statute did not require “unscrupulous” or “unethical” behavior for an act to be “unfair.” Second, the Court rejected Wyndham’s argument that it could not have engaged in unfair practices because it did not target its customers unfairly and was also the victim of the crime. Wyndham did not have to be the “most proximate cause,” the Court explained, of a customer’s injury to be held liable for such injury. Wyndham’s contention that by allowing the FTC to regulate cybersecurity, the agency would be granted authority so broad that it could “regulate the locks on hotel room doors” was dismissed as “alarmist.” The Third Circuit also disagreed that other legislation, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Children’s Online Privacy Protection Act precluded the FTC from having the inherent ability to regulate cybersecurity absent Congressional intent.
“Should Have Known Better”
Wyndham’s final arguments also failed: (1) that the FTC did not offer “fair notice” under the Due Process Clause that its conduct might amount to a violation under Section 45(a), and (2) that the FTC did not to explain what specific cybersecurity practices were “unfair.” The Court noted that Wyndham’s lack of firewalls, any encryption, and password requirements directly contradicted Wyndham’s cybersecurity statement. Additionally, the Court held that the FTC’s complaint gave Wyndham adequate notice of the alleged violations by pleading which cybersecurity practices were deficient.
Takeaways for Businesses
There are some lessons learned from the Third Circuit's ruling:
- Certain basic security measures (e.g., firewalls, encryption, access controls, vendor management, and incident response planning) should be considered for a “commercially reasonable” data security program. Companies that fail to meet these minimal standards could be subject to actions by regulators and plaintiffs alike.
- Cybersecurity preparedness is a continuing obligation. Companies cannot rest because what may be a defensible posture today based on “industry standards” may not be so tomorrow. Information security programs and incident response plans that are not adaptable, or adapted, to changing problems.
- It is critical to determine security measures for key data to carry out remediation for each data breach event.
- Companies that experience a data security breach must identify and develop remediation plans to strengthen their overall security program and to reasonably prevent (or at the very least, promptly detect) a subsequent breach where attackers use either the same or similar methods.
The Grant of FTC Authority is Clear, and May Apply to Other Agencies
The Third Circuit ruling is a major victory for the FTC and federal regulators of cybersecurity and data privacy. The Wyndham decision will likely strengthen the authority and resolve of other agencies, such as the FCC, to bring enforcement actions. Additional challenges to authority will likely not prevail, although it remains to be seen how additional cybersecurity regulators may work together with the FTC.