This week, the Third Circuit issued its much-awaited decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015). The Court unanimously affirmed the FTC's authority to bring actions challenging businesses' data security practices under the "unfairness prong" of Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a), without first promulgating rules or regulations that describe acceptable data security standards.
The FTC's enforcement action against Wyndham
From 2008-09, Wyndham experienced three data breaches in which more than 619,000 payment cards were allegedly compromised, resulting in $10.6 million in fraudulent charges. In 2012, the FTC filed a federal enforcement action against Wyndham, alleging in pertinent part that Wyndham's deficient data security practices exposed consumers' personal data to hackers in violation of Section 5's unfairness prong, which prohibits "unfair … acts or practices in or affecting commerce." Wyndham allegedly failed to use standard security measures such as firewalls and encryption, allowed the use of easily-guessed passwords to access its network, and otherwise did not use reasonable measures to prevent and detect data breaches.
In the past decade, the FTC has commenced dozens of enforcement actions similar to the Wyndham case, asserting that it has broad authority to police companies' data security practices under Section 5. Most actions have led to settlements in which the companies have agreed to implement comprehensive data security plans and consented to 20 years of outside monitoring. In contrast, Wyndham moved to dismiss, contending that the FTC's traditional consumer protection authority under Section 5 did not apply to data security. The district court denied Wyndham's motion to dismiss, and the Third Circuit granted interlocutory review of two issues: (1) whether Section 5's unfairness prong authorizes the FTC to police companies' data security practices; and (2) if so, whether Wyndham received fair notice that its data security practices might fall short of Section 5's requirements.
The Third Circuit's decision
The court unanimously rejected each of Wyndham's arguments.
First, Wyndham argued that Section 5's unfairness prong does not cover data security, citing recent statutes (e.g., the Fair Credit Reporting Act and the Children's Online Privacy Protection Act) that granted the FTC tailored authority to regulate data security in distinct sectors. Wyndham contended that these tailored grants would have been unnecessary if the FTC already had plenary authority to police data security under Section 5. The Court rejected Wyndham's argument, holding that the recent statutes granted the FTC new data security powers that complemented its existing Section 5 authority over data security.
Second, Wyndham contended that even if the FTC had authority to regulate data security under Section 5's unfairness prong, its enforcement action violated due process. Wyndham argued that because the FTC has not issued regulations describing the minimum required data security practices, Wyndham lacked "fair notice" of its Section 5 data security obligations. However, the Court held that Wyndham was not entitled to notice of specific data security practices that the FTC viewed as satisfactory. Rather, due process entitled Wyndham only to fair notice that a court could find its alleged data security practices inadequate under Section 5—and Wyndham had received such notice.
Specifically, the Court held that while Section 5 is "far from precise," it places companies on notice that they must conduct a cost-benefit analysis that weighs "the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity" and "the costs to consumers that would arise from investment in stronger cybersecurity." Here, because Wyndham experienced three data breaches, it was on notice after the second breach that a court could find its data security practices deficient under Section 5's cost-benefit analysis. Moreover, the FTC had issued informal guidance and complaints and consent decrees in other cases; these illustrated that the FTC had indicated that specific data security practices used by Wyndham were defective. The FTC had even filed nearly analogous allegations against a different company in a 2006 enforcement action.
Wyndham also argued that its alleged conduct did not satisfy the plain meaning of an "unfair" act, as it was the victim of a data breach that had not acted unscrupulously or unethically towards its customers. But the Court held that the FTC could pursue an action under Section 5's unfairness prong against a company whose allegedly deficient security practices led to a data breach in which consumers were actually harmed. (The Court also observed in dicta that while unfairness claims "usually involve actual and completed harms," the FTC could also bring unfairness claims "on the basis of likely rather than actual injury.")
The decision is a victory for the FTC, which has long asserted that it has Section 5 authority to bring enforcement actions against companies with deficient data security practices. The FTC may also invoke the Third Circuit's dicta to bring enforcement actions against companies whose data security practices (in the FTC's view) will likely cause consumers harm, even if no consumers have suffered actual injury.
It remains to be seen whether the FTC will increase its data security enforcement efforts due to the Third Circuit's decision. Nonetheless, to reduce the risk of an FTC enforcement action, companies should consider evaluating the adequacy of their data security practices in light of the FTC's prior guidance and prior Section 5 complaints and settlements.