In December we addressed the topic of cybersecurity from a product liability perspective. In particular, our prior report highlighted the U.S. Food and Drug Administration’s final guidance on the need for effective cybersecurity and warned that medical device manufacturers should heed the FDA’s recommendations. See article. As promised, we have continued to monitor the development of the cybersecurity litigation landscape.
Recently, the Third Circuit affirmed a lower court holding denying a company’s motion to dismiss the Federal Trade Commission’s action alleging that by failing to maintain appropriate data security for consumers’ personal information the company had violated the Federal Trade Commission Act. F.T.C. v. Wyndham Worldwide Corp., 2015 WL 4998121 (3d Cir. Aug. 24, 2015). The case against Wyndham does not, strictly speaking, fall within the realm of product liability; however, the court’s ruling has serious implications for companies facing litigation arising from cybersecurity breaches, including product manufacturers.
The case against Wyndham follows a line of administrative actions that the Federal Trade Commission (“FTC”) has brought against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. In Wyndham, the FTC alleged that on three occasions in 2008 and 2009 hackers accessed Wyndham’s network causing the theft of personal and financial information of hundreds of thousands of consumers. The FTC filed suit against Wyndham alleging, among other claims, that Wyndham’s deficient cybersecurity conduct was an unfair practice. On interlocutory appeal, the Third Circuit addressed the issue of whether the FTC has authority to regulate cybersecurity under the unfairness prong of §45(a) of the Federal Trade Commission Act of 1914 (“the Act”).
To understand the arguments raised by both sides, it is helpful to review briefly the legislative history of the Act. Section 45(a) of the Act prohibits “unfair methods of competition in commerce.” 15 U.S.C. § 45(a). In 1938, Congress inserted an additional prohibition against “unfair or deceptive acts or practices in or affecting commerce,” expanding the scope of §45(a). Wheeler-Lea Act, Pub. L. No. 75-447, §5, 52 Stat. 111, 111 (1938). In 1964 the FTC clarified the scope of the Act—in an effort to combat allegedly unfair or deceptive advertising and labeling of cigarettes—explaining that the following three factors would govern unfairness determinations:
- whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise—whether, in other words, it is within at least the penumbra of some common-law, statutory or other established concept of unfairness;
- whether it is immoral, unethical, oppressive, or unscrupulous; [and]
- whether it causes substantial injury to consumers (or competitors or other businessmen).
Fed. Reg. 8324, 8355 (July 2, 1964). In 1980, the FTC updated its unfairness policy statement, and iteration of the provision that Congress codified in 1994. 15 U.S.C. §45(n). Section 45(n) requires “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Id.
In its appeal, Wyndham renewed its argument made in the district court that even if the initial enactment of §45(a) included cybersecurity, the three legislative acts since the Act’s amendment in 1938 removed cybersecurity from the scope of the provision’s meaning. 2015 WL 4998121 at *7. Invoking prior Supreme Court precedent, Wydham argued that just as Congress intended to exclude tobacco products from the FDA’s jurisdiction in FDA v. Brown & Williamson Tobacco Corp., it similarly has enacted legislation meant to exclude cybersecurity from the FTC’s regulatory jurisdiction. 529 U.S. 120, 142 (2000). In other words, because Congress has narrowly tailored data-security legislation through several legislative acts targeting data-security in specific sectors of the economy, the FTC may not generally establish data-security standards for the private sector.
Unpersuaded by Wyndham’s inconsistency arguments, the Third Circuit held that the FTC may bring unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm. 2015 WL 4998121, at *8. The Court affirmed the district court’s conclusion that subsequent data-security legislation complements—rather than precludes—FTC’s authority.
Following the Third Circuit’s recent ruling and considering the ongoing rise of cybersecurity breaches across all industries, companies should understand the potential litigation risks they face pursuant to the unfairness prong of §45(a). Notably, the Third Circuit highlighted that prior to Wyndham the majority of cases brought under the auspices of the Act’s unfairness prong have resolved in settlement—not unlike claims brought under the False Claims Act, an authority now notorious for reaping high settlements. Although the Act does not permit trebling of damages as is allowed under the False Claims Act, civil penalties pursuant to 15 U.S.C. §45 are limited to $10,000 for each violation—thus raising addition questions about what constitutes a “violation.” We will continue to monitor this interesting intersection of cybersecurity and product liability litigation.