In a highly anticipated and precedential opinion issued earlier this week, the Third Circuit Court of Appeals upheld the FTC’s authority to regulate corporate cybersecurity. The decision in Federal Trade Commission v Wyndham Worldwide Corp et al., addressed whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and, if so, whether Wyndham had fair notice that its specific cybersecurity practices could fall short of that provision.
Each Wyndham-branded hotel has a property management system that processes consumer information including names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. A breach in Wyndham’s security opened the door for three separate hacks that resulted in the theft of personal and financial information for hundreds of thousands of consumers leading to more than $10.6 million dollars in fraudulent charges.
The FTC alleged that Wyndham unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft by storing payment card information in clear readable text, allowing the use of easily guessed passwords to access the property management systems and by failing to use readily available security measures, such as firewalls, to limit access between the hotels’ property management systems, corporate network and the Internet, among other reasons. The district court denied Wyndham’s motion to dismiss and the Third Circuit granted Wyndham’s interlocutory appeal to address the fundamental questions about the scope of the FTC’s authority in the cybersecurity space.
Wyndham argued that the three requirements of 15 U.S.C. § 45(n) are necessary but insufficient conditions of an unfair practice and asked that the Court apply the plain meaning of the word “unfair” to mean “not equitable” or “marked by injustice, partiality, or deception.” Wyndham also asserted that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” The Court rejected these arguments, reasoning that although unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury. Therefore, Wyndham’s cybersecurity intrusions could fall under the plain meaning of “unfair” if the intrusions were foreseeable.
Wyndham also argued that fair notice means it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by § 45(a). However, the Court concluded that ascertainable certainty was not the standard. Instead, the relevant inquiry was whether Wyndham had fair notice that its conduct could fall within the meaning of the statute; it was not whether Wyndham had notice of the FTC’s interpretation of the statute.
The Court went on to state that Wyndham is entitled to a relatively low level of statutory notice because 1) Subsection 45(a) did not implicate any constitutional rights in this case; 2) it is a civil rather than criminal statute; and 3) statutes regulating economic activity receive a “less strict” test because their subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action. The Court concluded that Wyndham can only claim that it lacked fair notice of the meaning of the statute itself, a theory the Court strongly suspected would be unpersuasive under the facts of the case.
The implications here are clear. Breached companies are now officially on notice that they may have to answer to the FTC in the wake of a cyber attack, and cannot claim ignorance of what cybersecurity measures the FTC deems inadequate. As FTC Chairwoman Edith Ramirez stated, the Third Circuit decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”