In FTC v. Wyndham Worldwide Corp., No 14-3514, -- F.3d-- (3d Cir. Aug. 24, 2015), the Third Circuit issued an important decision affirming a United States District Court of New Jersey ruling that the Federal Trade Commission ("FTC") has authority under Section 5 of the Federal Trade Commission Act ("Act")[i] to regulate and enforce data security practices. The Third Circuit decision bolsters the FTC in its increasingly active role in regulating consumer data security.

Section 5 of the Act prohibits "unfair or deceptive acts or practices in or affecting commerce."[ii] Since 2005, the FTC has increasingly initiated enforcement actions against companies for their allegedly inadequate cybersecurity practices that expose consumer data to theft, by relying on the deceptive and/or unfair practice prongs under Section 5.[iii]The FTC has pursued companies for alleged failures "to employ reasonable and appropriate security measures to protect personal information and files,"[iv] and for alleged misrepresentations regarding consumer data security practices in privacy policies or advertisements.[v]

Following three data breaches Wyndham experienced from mid-2008 through 2009, the FTC filed a complaint in June 2012, alleging that the hotel chain's cybersecurity measures were inadequate and that their privacy policy misrepresented those measures in violation of both the deceptive and unfair prongs of the Act. In its complaint, the FTC alleged that Wyndham engaged in unfair cybersecurity practices that "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."[vi] More specifically, the FTC alleged that Wyndham allowed hotels to store payment card information in plain text, failed to implement firewalls and other cybersecurity tools, and failed to restrict or secure third-party access to customer data.[vii] According to the FTC, the alleged inadequacies resulted in the inappropriate disclosure of credit card numbers for more than 619,900 consumers and roughly $10.6 million in losses due to credit card fraud. The FTC argued that "taken together, [Wyndham] unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

In response to the FTC's complaint, Wyndham filed a motion to dismiss, challenging the FTC's authority under the Act to regulate and enforce consumer data security practices.

The District Court of New Jersey denied Wyndham's motion, finding that the FTC has authority under the Act to regulate and enforce data security practices affecting commerce. In so holding, the district court rejected Wyndham's claim that recent cybersecurity legislation made clear that the FTC had no existing authority to regulate data security (or Congress would not have enacted the legislation). The district court further found that businesses had fair notice regarding how to avoid liability under Section 5, noting that businesses could have looked to recent FTC consent agreements, public releases, and guidance on appropriate consumer data privacy and security practices.[viii]

The Third Circuit granted interlocutory appeal and affirmed the District Court ruling, holding that the FTC indeed had the requisite legal authority to regulate consumer data security under the Act. The Third Circuit rejected Wyndham's argument that the need for recent cybersecurity legislation illustrated that the FTC had no such existing authority.[ix]

Tellingly, the Third Circuit also rejected Wyndham's contention that the FTC failed to adequately notify companies through rules, regulations, or other guidelines defining the proper level of data security standards. In essence, Wyndham argued that before bringing an unfairness action under Section 5, the FTC had to publish rules and regulations. The Third Circuit held, however, that Wyndham had fair notice that its conduct could fall within Section 5, determining that Wyndham could reasonably foresee that a court could construe its data security practices as an unfair act or practice. The court pointed to the allegations in the complaint that Wyndham failed to use firewalls or take other data security measures, did not restrict third-party access, and was hacked more than once. The court also referenced the FTC's 2007 guidebook for businesses on protecting personal information and several FTC complaints and consent decrees regarding consumer data security and privacy, finding that the FTC's "expert views" could have helped Wyndham.[x]

Although the Third Circuit decision affirmed the FTC's regulatory authority over data security and consumer protection, the FTC's case against Wyndham is far from over. On remand, the FTC will have to prove its allegations and establish that the data breaches caused substantial injuries that consumers could not have reasonably avoided. Michael Valentino, a spokesman for the company, recently stated that "[o]nce the discovery process resumes, [Wyndham] believe[s] the facts will show the FTC's allegations are unfounded."[xi] Barring a settlement, the Wyndham case will continue to be closely watched as perhaps the first case of its kind to fully litigate the merits of the FTC's enforcement actions in this unsettled arena.

Regardless of the outcome of the case, the Third Circuit's decision may bolster the FTC's ongoing efforts to investigate and enforce consumer data security breaches as reflecting an underlying unfair business practice, and it may further embolden the FTC to become more active across a wide variety of industries. Following the decision, FTC Chairwoman Edith Ramirez issued a statement that "[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."[xii]Companies have a strong incentive to ensure that they maintain policies and practices that meet or exceed data privacy and security industry standards, and to be aware of the FTC's enforcement position as reflected in its allegations in the Wyndham case.