The U.S. Court of Appeals for the Third Circuit recently held that the Federal Trade Commission (FTC) has the legal authority under section 45(a) of the Federal Trade Commission Act (FTC Act) to regulate cybersecurity as an “unfair” act or practice affecting interstate commerce.

In so ruling, and among other things, the Court rejected the defendants’ argument that the FTC did not provide “fair notice” of the cybersecurity requirements it was seeking to impose, holding that a company is “not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a), … as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”

A copy of the opinion is available at: Link to Opinion.

In 2008 and 2009, “hackers” on three occasions gained access to the computer system of a national hospitality company that franchises and manages hotels and sells timeshares.  The hackers stole the personal and financial information of hundreds of thousands of consumers, resulting in over ten million dollars in fraudulent charges.

FTC Said Failure to Secure Data Was Unfair, Privacy Policy Was Deceptive

The FTC sued the company and three subsidiaries, alleging that the company’s failure to secure its customers’ information constituted an unfair practice, and that its privacy policy was deceptive.

The FTC alleged that, since at least April of 2008, the defendants unfairly failed to adopt and implement minimally adequate, basic cybersecurity practices to protect customers’ information. The FTC also alleged that the defendants’ published privacy policy was supposedly deceptive, because it represented that they used encryption, firewalls and other commercially reasonably means of protecting consumers’ personal and financial information, when in fact they did not.

The defendants moved to dismiss both the unfairness and deception claims, which the district court denied. The Third Circuit granted leave to appeal the interlocutory dismissal order in order to clarify whether the FTC has the authority to regulate cybersecurity under the unfairness prong of section 45(a) of the FTC Act, and, if so, whether the company had fair notice that its cybersecurity practices could violate the FTC Act.

The Third Circuit discussed the FTC’s regulatory authority under the FTC Act, especially as to “unfair methods of competition in commerce,” noting that Congress intentionally refused to limit the concept of “unfairness” by defining exactly what the phrase means, leaving it to the FTC to flesh out its meaning.

The Court explained that in 1994, Congress codified the FTC’s 1980 Policy Statement on “unfairness” in section 45(n) of the FTC Act, which “requires substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition.” Thus, the Third Circuit noted, section 45(n) adopted a cost-benefit analysis to determining whether an act or practice is “unfair.”

The Third Circuit rejected the defendants’ argument that a practice is only “unfair” if it is inequitable or “marked by injustice partiality, or deception,” finding that “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing in inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Court also rejected the defendants’ argument that a business does not treat its customers unfairly when it was itself the victim of a criminal attack, in part because defendants offered “no reasoning or authority for this principle,” and the Court could think of none, and but also because the text of subsection 45(n) includes the words “likely to cause substantial injury,” which the Court found meant that the FTC Act “expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” In addition, according to the Third Circuit, under established principles of tort law, a company can be held liable for foreseeable injury even if the act of a third person was a more proximate cause of the injury.

Court Affirms FTC’s Authority to Regulate Cybersecurity

The Third Circuit then rejected the defendants’ argument that the FTC’s authority over unfair acts and practices in subsection 45(a) does not extend to cybersecurity, because the federal Fair Credit Reporting Act’s direction to the FTC to develop regulations governing the disposal of consumer data, and the Gramm-Leach-Bliley Act’s requirement that the FTC develop standards for financial institutions to protect consumers’ personal information, for example, would mean little if the FTC already had plenary authority over the field of cybersecurity. The Court reasoned that Congress had independent reasons for passing the aforementioned laws separate and apart from the FTC’s regulatory authority over cybersecurity.

The defendants next argued that the FTC’s interpretation of subsection 45(a) was wrong because Congress never granted the authority the FTC was trying to exercise, despite repeated attempts by the FTC to obtain it. Rejecting this argument as well, the Third Circuit reasoned that all the FTC has repeatedly maintained that some cybersecurity practices are “unfair” under the FTC Act, and that in the other statements relied upon, from 1999 and 2000, it merely acknowledged that it did not have the power to force companies to adopt “fair information practice policies” because, at the time, they were only collecting consumer information and consumers were not injured as a result. The Court concluded that the fact that “the FTC later brought unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm is not inconsistent with the agency’s earlier position.”

Turning to the issue of whether the defendants had “fair notice” that their cybersecurity practices were unfair under the FTC Act, the Third Circuit explained, citing Supreme Court precedent, that “[a] conviction or punishment violates the Due Process Clause of our Constitution if the statute or regulation under which it is obtained ‘fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.’”

The defendants argued that, even if its conduct was unfair under section 45(a), the FTC did not provide fair notice of the particular cybersecurity standards defendants were required to adhere to.

However, the Third Circuit pointed out that “the level of required notice for a person to be subject to liability varies by circumstance,” and that the “fair notice” doctrine applies in civil cases.

Court Says Fair Notice Standard Was Satisfied

The inquiry, however, ultimately boiled down “not whether [defendants] had fair notice of the FTC’s interpretation of the statute, but whether [defendants] had fair notice of what the statute itself requires.” It then concluded that defendants “were not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal [was] whether [defendants] had fair notice that [their] conduct could fall within the meaning of the statute.”

The Court then turned to whether the defendants had fair notice of the meaning of § 45(a).  The Third Circuit had little trouble rejecting the defendants’ argument that they were entitled to fair notice of what specific cybersecurity measures are required in order to avoid liability, concluding that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”

The Third Circuit concluded that the defendants’ fair notice challenge failed because, after the second attack, it should have been “painfully clear to [defendants] that a court could find its conduct failed the cost-benefit analysis.”

In addition, the FTC’s complaint “does not allege that [defendants] used weak firewalls, IP address restrictions, encryption software, and passwords. Rather it alleges that [defendants] failed to use any firewall at critical network points, … did not use any encryption for certain customer files, … and did not require some users to change their default or factor-setting passwords at all….”

Finally, the Court, pointing to a 1997 FTC publication entitled “Protecting Personal Information: A Guide to Business,” as well as FTC complaints and consent orders involving cybersecurity prior to the first attack in 2008, found that these “could certainly have helped [defendants] determine in advance that its conduct might not survive the cost-benefit analysis.”

Accordingly, the district court’s decision was affirmed.