On March 3, 2015, a judicial panel from the U.S. Court of Appeals for the Third Circuit heard oral arguments in a challenge brought by Wyndham Worldwide Corp. (“Wyndham”) against the Federal Trade Commission’s (“FTC”) authority to regulate cybersecurity. The hotel company is seeking to have the court dismiss the FTC’s cybersecurity case against it, arguing that Congress never gave the FTC the authority to regulate data privacy. Should Wyndham be successful, such a ruling would significantly curtail the FTC’s ability to bring cases against and force changes by companies the FTC believes are not sufficiently guarding their customer data.
The case initially arose after a significant cyber-attack against the hotel company from 2008 – 2010, in which hackers stole data from hundreds of thousands of customer accounts, resulting in at least $10.6 million in fraudulent charges. Wyndham informed regulators and consumers about the attack and subsequently cooperated with an FTC investigation into the incident. Despite this cooperation, the FTC filed suit against Wyndham, alleging numerous failures and inadequacies in the company’s data security, including the failure to erect firewalls, use password protections and configure payment data securely. As part of the suit, the FTC is seeking an injunction requiring security improvements by Wyndham, and possible “other relief,” which could include financial restitution and refunds.
In the past, the FTC has brought cybersecurity actions relying on its authority under Section 5 of the Federal Trade Commission Act (“FTC Act”) – known as the “unfairness prong” – to prevent “unfair” and “deceptive” business practices. In its brief to Third Circuit in the Wyndham case, the FTC argues that inadequate cybersecurity “unreasonably exposes consumers to substantial injury they cannot reasonably avoid.” Further, during oral argument before the appellate panel, the FTC emphasized its belief that Congress had clearly intended for the agency to broadly wield its “unfairness power” under the FTC Act to encompass “every manner of consumer harm.”
At least one of the circuit judges on the panel, however, pushed back at this contention, stating that his reading of the relevant legislative history appeared to indicate that the FTC only has the ability to bring “routine fraud cases.” This position appears to favor Wyndham, whose core argument has been that Congress never intended for the “unfairness prong” to reach practices that can only be considered negligent, but not necessarily fraudulent. Wyndham has responded to the FTC’s assertions of regulatory authority by arguing that “a business cannot be deemed to have engaged in an “unfair” practice where, as here, the business itself was the victim of criminal conduct by others.”
In April 2014, U.S. District Judge Esther Salas rejected this argument (and others put forth by Wyndham), siding with the FTC in holding that: 1) Section 5 of the FTC Act permitted the agency to regulate data security; 2) the agency had provided adequate notice of what constitutes reasonable data security standards; and 3) the FTC adequately pled a claim for either unfairness or deception under Section 5 of the FTC Act. However, at least one interpretation of the oral argument before the Third Circuit panel is that the judges are leaning towards reversing Judge Salas and siding with Wyndham.