In FTC v. Wyndham Worldwide Corporation, et al.,1 the United States Court of Appeals for the Third Circuit held that the Federal Trade Commission (“FTC”) has the authority over “unfair or deceptive” cybersecurity practices under Section 5 of the Federal Trade Commission Act (“Act”). This case will have important implications for any business or person that solicits, accepts and stores private, personal and financial information.

On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation’s (“Wyndham”) computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers, leading to over $10.6 million in fraudulent charges. The FTC filed suit in federal District Court alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. More specifically, the FTC alleged that Wyndham:

  • failed to use “readily available security measures,” such as firewalls;
  • stored credit card information in clear, readable text;
  • failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
  • failed to address known security vulnerabilities on servers or follow “proper incident response procedures.” The hackers used similar methods in each attack; and
  • allowed use of default non-complex user names and passwords for access to servers.

The District Court denied Wyndham’s motion to dismiss the FTC’s complaint, and the appeals court granted interlocutory appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of §5; and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”

The Third Circuit considered the FTC’s regulatory authority under §5 of the Act, and specifically, the prohibition of “unfair methods of competition in commerce.” To justify a finding of unfairness, a consumer injury must (i) be substantial, (ii) not be outweighed by any countervailing benefits to consumers or competition that the practice produces and (iii) be an injury that consumers themselves could not reasonably have avoided. The Third Circuit determined: 

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business… and [c]onsumers could not reasonably avoid injury by booking with another hotel because Wyndham had published a misleading privacy policy that overstated its cybersecurity. (Emphasis added).

What’s more, the court found no subsequent congressional action that could somehow exclude cybersecurity from §5’s meaning. Accordingly, the unfairness requirements were satisfied by allegations in the FTC’s complaint.

The appeals court next considered whether Wyndham had fair notice that its specific cybersecurity practices could fall short of the unfairness provision of the Act. The fair notice doctrine of the Due Process Clause of the United States Constitution extends to civil cases, although a different set of considerations is implicated when agencies are involved in statutory or regulatory interpretation. Private parties are entitled to know with “ascertainable certainty” an agency’s interpretation of its regulation, and courts are to give some deference to an agency’s interpretation. Thus, Wyndham argued that it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by §5. The appeals court rejected Wyndham’s argument because, it noted, and Wyndham had apparently repeatedly argued, there is no FTC rule or adjudication about cybersecurity that merits deference. Consequently, Wyndham was only entitled to notice of the meaning of the statute and not to ascertainable certainty of the agency’s interpretation of the statute.

Wyndham will now face suit in district court for the cybersecurity breach of its customers’ personal and financial information, facing the prospect of financial damages and more intrusively remedial action to cure the deficiencies stated in the allegations in the complaint (see above). Unfortunately for other businesses, while they know the FTC has the power to pursue them for practices that may be considered to be unfair, they still do not have guidance as to what those practices may be other than the general, unsystematic pronouncements of the FTC and the various complaints that it has filed against others. As the Third Circuit observed, the FTC has no comprehensive rule regarding privacy policies. We recommend, in light of this uncertainty, that businesses review their current policies to ensure that they are, in fact, doing what they say they are doing. In addition, the FTC has just issued guidance on data security, and so any policy should take into account that guidance. Interestingly, it deals with the substance of data security as opposed to the issue of disclosure, raising the question of whether, if a policy accurately states what a business is doing in fact but its practices are inadequate, it nonetheless can be found to be engaged in an unfair practice.