In 2012, the Federal Trade Commission filed suit in federal court against hotelier Wyndham and its various subsidiaries (“Wyndham”), claiming that Wyndham’s allegedly unreasonable data security practices allowed hackers to steal personal information and payment data of Wyndham’s customers. The FTC’s claims were not unusual – by 2012 the FTC had spent a decade pursuing companies for unreasonable data security in administrative actions under Section 5 of the FTC Act, which forbids unfair or deceptive acts or practices in or affecting commerce.  In each of these prior enforcement actions the company settled with the FTC, agreeing to comprehensive data security controls, program monitoring, and reporting, usually extending for 20 years.

But Wyndham’s response was highly unusual – it pushed back, and continues to do so, challenging the FTC’s authority to enforce “reasonable” data security under the FTC Act.

In its motion to dismiss, Wyndham argued that the unfairness prong of FTC Act Section 5 does not empower the FTC to regulate cybersecurity, and also that the FTC has not provided constitutionally adequate notice of what cybersecurity practices are required to satisfy a “reasonableness” standard.

The federal district court denied Wyndham’s motion to dismiss, but later allowed an interlocutory appeal on Wyndham’s arguments. The stage is now set for the Third Circuit Court of Appeals, in a case of first impression, to decide whether the FTC has authority under the unfairness prong of FTC Act Section 5 to enforce reasonable data security. Will the Third Circuit resolve this issue, or will it dodge the question?

Third Circuit Review

Prior to oral argument, the Third Circuit Court of Appeals requested that the parties prepare responses to several questions. First, the court asked whether the FTC has declared unreasonable cybersecurity practices unfair, or if the FTC was requesting the Third Circuit deem unreasonable cybersecurity practices unfair in the first instance. Second, the Third Circuit questioned whether the court could make such a declaration in a case originally filed in federal court without “administrative consideration.” These questions suggest that the Third Circuit may be considering an issue raised by neither of the parties – whether this case is properly before the federal court, or whether instead the FTC should have pursued Wyndham in an administrative proceeding.

The FTC argued that it had indeed declared unreasonable cybersecurity practices to be unfair, through a prior adjudicative order and also through 20 Commission votes to issue unfairness complaints for deficient data security practices.

Wyndham argued that the LabMD order was not final, and also that the FTC complaints and consent decrees cannot serve as adequate notice. Wyndham also argued that the FTC has the ability to promulgate rules regulating cybersecurity and should be required to provide more guidance on specific practices that would meet the reasonableness standard.

Both the FTC and Wyndham urged the court not to decide whether the case is properly before the federal court, because neither party raised that issue – both the FTC and Wyndham prefer that their dispute be resolved in the current court case.

And the Ruling is?

The Third Circuit’s ruling is forthcoming and highly anticipated.  At least three plausible outcomes emerge:

  • Door #1: An FTC victory would endorse the enforceability of a flexible “reasonableness” standard for data security, with implications across industries. Organizations will continue to be held to evolving standards to protect their customers’ data, and therefore organizations will be responsible to ascertain and closely follow the standards implicitly set by the FTC’s enforcement history.
  • Door #2: A victory for Wyndham could rein in the FTC’s enforcement authority for data security. On the other hand, a Wyndham victory on the merits of the interlocutory appeal would likely only apply to the unfairness prong of Section 5. The FTC could, and presumably would, continue to enforce data security under the deceptiveness prong of FTC Act Section 5, pursuing companies based upon any alleged misrepresentations regarding data security safeguards.
  • Door #3: The Third Circuit could sidestep the merits, ruling that this enforcement matter is not appropriate for a court case, and instead should have been pursued by the FTC in an administrative proceeding.