In a resounding win for the Federal Trade Commission (“FTC”), the Third Circuit unanimously affirmed the FTC’s power to regulate cybersecurity under the unfairness prong of the FTC Act (15 U.S.C. §45).FTC v. WyndhamCase, No. 14-3514 (3rd Cir. Aug. 24, 2015). While the facts made this case an easy one for the Court to decide, the decision’s impact will be far-reaching.

Background

In 2012, the FTC filed suit against Wyndham Worldwide Corporation and three of its subsidiaries under the FTC Act in relation to three separate data breach incidents in 2008 and 2009 that compromised the personal information of over 619,000 consumers. The FTC accused Wyndham of conduct that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Among other things, the FTC contended that Wyndham failed to use any firewalls, and stored credit card payment information in clear readable text. These actions stood in stark contrast to the company’s privacy policy, which ensured certain standards of protection that Wyndham was not following.

Wyndham moved to dismiss the FTC’s complaint on two grounds: 1) the FTC does not have authority to regulate cyber security, and 2) the FTC did not provide fair notice of the standards by which private parties must abide. The District Court denied the motion to dismiss, and the Third Circuit sided with the FTC on each issue.

Analysis

The Third Circuit determined that the FTC has power to regulate cybersecurity. In adopting the FTC Act, Congress explicitly considered, and then rejected, the opportunity to specify particular “unfair” practices that were subject to the regulation. Because the Act was intended to be flexible, with “evolving content,” the Third Circuit determined that cybersecurity could be regulated by the FTC.

Second, the Court determined that Wyndham had fair notice that its cybersecurity practices were prohibited under the FTC Act. The court explained that fair notice is satisfied “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Wyndham argued that it did not treat its customers in an “unfair” manner because it had itself been the victim of cybercriminals. The Court rejected that argument. After all, Wyndham had been the victim of three separate cyber attacks and yet still failed to put up any firewalls or use encryption for certain sensitive information. These facts were particularly egregious, and made it easy for the court to reach this conclusion.

Looking Ahead

The key takeaway of this decision for companies is that they cannot escape the long arm of the Federal Trade Commission. In particular, any company that has experienced a data security breach will be required to take some proactive efforts to avoid future repeats or risk being subject to the unfairness prong of the FTC Act.