This article was first published by The Lares Institute Blog (September 24, 2015).
Many articles have been written recently about the Third Circuit’s recent ruling in the FTC v. Wyndham, — F.3d — 2015 WL 4998121 (3d Cir. 2015) which, while trumpeting the case’s importance, do not address some of the more interesting aspects of the opinion. This decision, while notable at some level, sets the stage for the more important issues that the court did not decide, but which will have to be decided as the case is litigated. As a result, it is likely that future opinions will be of more importance, and this article examines certain potential issues, including some that are hinted at in the opinion.
To understand the opinion, and what it does and doesn’t decide, one must understand the current procedural posture of the case. The motion before the court was a 12(b)(6), or motion to dismiss, which essentially raised two issues— whether the FTC had the authority to regulate cybersecurity in accordance with it unfairness authority, and whether Wyndham had “fair notice” of whether allegedly deficient cybersecurity practices could “fall short” of §45(a).
IT DIDN’T DECIDE THE MERITS
One of the key issues that has been blurred in certain other articles is that this decision was not a summary judgment motion under Rule 56, or otherwise on the merits of the case. Instead, it is a decision that tested the legal principles identified above, and, as the Third Circuit noted, for these purposes, the court must “accept all factual allegations as true, and construe the complaint in the light most favorable to the [FTC], and determine whether, under any reasonable reading of the complaint, the [FTC] may be entitled to relief.” As a result, the court did not, and could not, make factual findings about whether Wyndham did, or did not, have adequate security. Instead, as it must under 12(b)(6), the court assumed all of the FTC’s allegations were true. As discussed below, that is where the future decisions will be of critical importance as the contours of unfairness are set.
IT DID PERMIT THE FTC TO REGULATE CYBERSECURITY VIA UNFAIRNESS
In the security and privacy realm, the FTC uses two prongs of its statutory authority under Section 45(a)1—deception and unfairness. There is a significant amount of history that surrounds these concepts, which I examine in, The Federal Trade Commission and Privacy: Defining Enforcement and Encouraging the Adoption of Best Practices, 48 San Diego L. Rev. 809 (2011).2 The Supreme Court has previously weighed in on the scope of the FTC’s jurisdiction, the FTC has issued a statement regarding its belief regarding what unfair practices are, and ultimately Congress amended Section 45(a) to conform to these views.
Ultimately, the Unfairness Statement was codified by Congress via an amendment to 15 U.S.C. § 45(n), which now reflects the consumer injury focus. Under this formulation a practice is unfair if it (1) causes or is likely to cause substantial injury to consumers (2) that is not reasonably avoidable by consumers themselves and (3) not outweighed by countervailing benefits to consumers or to competition.3
There are two notable portions of the Third Circuit’s decision regarding these factors. The first is that, contrary to Wyndham’s position, the Third Circuit did find that the FTC did have jurisdiction to pursue unfairness claims based upon an alleged lack of information security, stating that the court was “not persuaded that the alleged conduct falls outside the plain meaning of ‘unfair.’”4 This essentially, subject to potential appeals, at least in the Third Circuit, ends the arguments made by Wyndham, and others, on the jurisdictional arguments regarding unfairness and security.
The second raises some issues about what the FTC must prove in order to establish unfairness based upon allegations related to cybersecurity. Wyndham argued that while the FTC must, at minimum, produce evidence to establish these three factors before an act is declared to be unfair, the FTC may have to establish other additional factors beyond those identified in §45(n). While this issue was not one the Court had to decide at this time, it did seem to indicate that in this context the three unfairness factors might not completely express the burden the FTC must meet.5
IT DID DECIDE WYNDHAM HAD “FAIR NOTICE”
Like any government agency, the FTC’s jurisdiction is not unlimited, and due process concerns, among other legal issues, place an outer limit on certain regulatory activities. The concept of “fair notice” is one of those outer limits, and this issue was also examined by the Third Circuit. The court began its analysis by stating “A conviction or punishment violates the Due Process Clause of our Constitution if the statute or regulation under which it is obtained ‘fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.’”6
The issue here was Wyndham’s argument that it did not have fair notice of the standards—what cybersecurity practices the FTC believed were required—under Section 45(a). The court did not accept this argument, finding, at least at the pleading stage, that Wyndham need only have fair notice that its alleged conduct could fall within Section 45(a). It will remain to be seen on remand what level of notice the District Court believes was necessary and appropriate regarding the standards themselves that the FTC seeks to impose upon companies under its unfairness jurisdiction.
IT DID NOT DECIDE THAT CONSENT DECREES WERE “PRECEDENTIAL”
As part of the fair notice analysis, the court examined what the impact the FTC’s prior consent decrees had in this context. The court was clear on this point:
We agree with Wyndham that the consent orders, which admit no liability and which focus on prospective requirements on the defendant, were of little use to it in trying to understand the specific requirements imposed by § 45(a).7
This statement will be important both for Wyndham in this case, as well as other companies as they attempt to navigate negotiations with the FTC in the future. Thus it seems clear that while the prior consent decrees provide some guidance regarding what the FTC thinks, they do not offer binding precedent as an opinion of a court would.
IT DID NOT APPEAR TO IMPOSE A BURDEN TO REVIEW CONSENT DECREES, AT LEAST IN 2008
While not directly relevant to the fair notice arguments, the court also noted that, in contrast to the FTC’s position, in 2008 it could have been “unfair” to expect companies to review the FTC complaints or consent decrees that it posts on its website.8 The ultimate relevance of this point in the Wyndham case will be determined as the case progresses, but the court clearly stated that these documents may not be the kinds of legal documents that companies “typically consulted.”9 Whether that same analysis will hold true for companies examining these issues today will remain to be seen, but at least for Wyndham and others in 2008, the court declined to impose this burden.
IT DID NOT DECIDE HOW TO ASSESS CONSUMER HARM
Now that the jurisdictional issues are resolved, at least for now, the case will move on to the merits, which means the burden will shift to the FTC to prove its case and produce evidence to support the three elements of unfairness noted above. While all three elements will likely be litigated, the first point whether the alleged practices cause, or are likely to cause substantial injury to consumers will certainly be a key issue.
This issue is frequently addressed in the data security class action litigation context involving a related issue—Article III standing, and the Article III issues can be summarized in the three part test set forth by the Supreme Court. The plaintiff has the burden in those cases to establish:
- That it has suffered an injury in fact—an invasion of a legally-protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical;
- A causal connection between the injury and the conduct complained of—the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court; and
- That it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.10
In the data breach context, many courts have found that the plaintiff cannot meet the burden to establish the requisite level of injury, which results in dismissal of the case.11 In fact, this conclusion was recently reached by the District Court in New Jersey, the District Court that will decide this matter, in a case involving the alleged improper mailing of Social Security numbers which permitted them to be visible.12
Interestingly, in examining situations where the FTC has been given rulemaking authority in other contexts, the Court examined other statutory schemes that appear to have differing harm standards. One such example is the GLBA, which the Court stated empowered the FTC to establish appropriate standards “… to protect against unauthorized access to or use of … records … which could result in substantial harm or inconvenience to any customer.”13
How the GLBA standard will be interpreted versus the injury element of Section 5 noted above, as well as what the District Court will examine and decide what the FTC must produce to meet its burden on this point remains to be seen, but this will be one of the key issues as we test the contours of unfairness and cybersecurity.