The dispute arose when the agency filed suit asserting that Wyndham violated Section 5 of the Federal Trade Commission Act by misrepresenting the strength of its data security protection, as demonstrated by three cyberattacks between 2008 and 2010 that led to over $10.6 million in fraudulent charges. Wyndham fired back with a direct challenge to the agency's authority to make an unfair practices claim in the data security context.
A federal court judge sided with the agency by declining to "carve out a data security exception" to the FTC's authority. Wyndham appealed, arguing that the FTC lacked authority to regulate cybersecurity under the unfairness prong of the Federal Trade Commission Act and that the company did not have fair notice that its specific cybersecurity practices could fall short of that provision.
The federal appellate panel affirmed.
The court was not persuaded by Wyndham's position that recognizing the FTC's authority in this realm was akin to suing supermarkets that are "sloppy about sweeping up banana peels." "The argument is alarmist to say the least," the panel wrote. "And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [the FTC Act]."
Multiple statutes establishing data security authority for other agencies in particular areas—such as the Children's Online Privacy Protection Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act—did not mean that the Commission lacked general substantive authority over the field of cybersecurity, the panel wrote. The privacy laws are compatible with reading corporate cybersecurity into Section 5's powers to regulate unfair conduct, the court said, and the new laws require the FTC to take specific actions (issuing regulations, for example) that go above and beyond the requirements of Section 5.
As a demonstration that the agency lacked such authority, Wyndham pointed to earlier statements from FTC Commissioners who sought the power to regulate cybersecurity practices. The court disagreed. "Our conclusion is this: that the FTC later brought unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm is not inconsistent with the agency's earlier position," the panel wrote.
Having rejected the hotel chain's arguments that the FTC lacked the authority to regulate unfair conduct in the cybersecurity context, the court turned to whether Wyndham had fair notice of the agency's standards pursuant to Section 5.
Wyndham was not entitled to "ascertainable certainty" as to what specific cybersecurity practices are required, the panel explained, because the court was required to interpret Section 5 in the first instance to decide whether Wyndham's conduct was unfair. "The relevant question is not whether Wyndham had fair notice of the FTC's interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires," the court said.
Answering its own question, the panel found that Wyndham had fair notice because the company could reasonably foresee that a court could construe its conduct as falling within the statutory coverage. In 2007 the FTC issued a guidebook that included a checklist of practices that form a "sound data security plan," and the agency began bringing administrative actions against companies with allegedly deficient cybersecurity in 2005, several years prior to the cyberattacks against Wyndham.
The company's challenge "is even weaker given it was hacked not one or two, but three times," the panel added. "We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis."
To read the opinion in FTC v. Wyndham Worldwide Corp., click here.
Why it matters: Businesses across the country have closely followed theWyndham litigation, and the message from the court is clear: the FTC has the authority to regulate unfair or deceptive practices in the cybersecurity context. Or as FTC Chairwoman Edith Ramirez said in a statement released by the agency, the "decision reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."