The Third Circuit’s recent ruling in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015) marks a watershed moment in the ongoing saga of Wyndham Worldwide Corporation’s (Wyndham) data breach litigation. Prior to this decision, federal cyber security regulation has existed in the legal badlands, with the Federal Trade Commission (FTC), the Securities and Exchange Commission and the Department of Justice regulating different aspects of data security using separate and overlapping authorities. Congress has shown little consensus on passing a comprehensive federal data breach law, and the states have created what could generously be described as a rich tapestry of data breach laws in the absence of federal legislation. The Third Circuit’s ruling in Wyndham validates the FTC’s role in regulating data security and may catalyze a paradigm shift towards a clearer federal regulatory structure. This post briefly touches upon the ruling and its implications before offering some key takeaways for company executives considering these issues.
The Background and Ruling
The Wyndham hotel chain suffered a series of data breaches between 2008 and 2010. These breaches resulted in the theft of the Personally Identifiable Information (PII) and credit card information of 619,000 Wyndham hotel customers. Consumers, shareholders and the FTC filed suits against Wyndham Worldwide Corporation and its subsidiary hotel chains. Although Wyndham prevailed in the shareholder suit last year — the district court held that Wyndham’s board exercised its business judgment in making data security decisions — that victory may prove pyrrhic in light of the Third Circuit’s recent decision concerning the FTC’s regulatory authority.
The FTC began investigating the Wyndham data breach in 2012 and filed suit against Wyndham later that year in the Federal District Court of Arizona, claiming, among other things, that Wyndham’s data security practices amounted to an “unfair business practice” in violation of Section 5 of the FTC Act . Wyndham moved to dismiss the complaint, asserting that Section 5 does not provide the FTC with the authority to regulate data security practices generally. The district court denied Wyndham’s motion to dismiss, but certified its decision to the Third Circuit.
The Legal Holding
In its widely awaited decision, the Third Circuit unanimously and unequivocally held that the FTC does possess the statutory authority to regulate data security as an unfair business practice and rejected each of Wyndham’s contentions that the FTC lacked authority. Wyndham first argued that its data security practices were not “unfair” under the plain meaning of the term, but the court concluded that Wyndham’s customers could not have reasonably avoided its poor data security, which fit within the court’s definition of “unfair.” The court also refused to accept Wyndham’s contention that it could not be acting unfairly because the corporation itself was the victim of the breach. The court responded that the alleged poor data security employed by Wyndham may have contributed to the customers’ harm, even if it was not the “most proximate” cause of the harm. Wyndham also argued (we assume hyperbolically) that affirming FTC authority over companies’ data security policies would result in the FTC having the power to regulate businesses for failing to post armed guards at every entrance or to sanction supermarkets for unswept banana peels. The Third Circuit dryly replied that a supermarket may well face FTC regulation if it left “so many banana peels all over the place that 619,000 customers fall.” Wyndham also made nuanced legal assertions concerning congressional legislation and its effect on the FTC’s authority, which the court also refused to accept.
Finally, Wyndham argued that it could not face regulatory sanctions because the FTC has issued no guidance on what policies would be sufficient for a company to escape sanctions for its allegedly lax cyber security policies. This was the argument most observers thought might resonate with the appellate court and, indeed, the Third Circuit took the most care in addressing this argument. The Third Circuit noted that while there is no one document encompassing “guidance” as to what data security practices will, and will not, pass regulatory muster, the FTC’s ongoing regulatory activity, including entering into consent decrees and filing complaints in prior data security cases, provided Wyndham (and others) with sufficient notice that it faced regulation under the FTC’s unfair business practice authority on the basis of its data security posture.
This decision marks a pivotal moment in data security regulation. It confirms FTC authority to sanction data security as an unfair business practice and increases the list of concerns for companies responding to a data breach incident. Savvy plaintiffs have breached (pun intended) the once-rigid barrier to standing in consumer class actions. Additionally, shareholders continue to storm the gates of director and officer liability in cyber incidents. These concerns pile on the traditional legal challenges surrounding the prevention, mitigation and notification requirements of cyber intrusions. Further complicating matters, the Third Circuit did not outline the standards and limits of the FTC’s regulatory power. The issue of what standards the courts will apply in cyber security remains to be litigated.
The ruling provides some key takeaways for company executives and decision-makers:
- Companies possess notice of the FTC’s authority to regulate cyber security as an unfair business practice. Executives should consider themselves on notice and prepare prior to an FTC investigation in the event of a large-scale cyber event.
- Companies should review the statements made to their customers concerning data privacy and ensure their data security posture matches their advertised claims.
- Executives should contemplate their company’s cyber security posture comprehensively. Although the opinion made no judgments concerning the merits of the case, the Third Circuit’s tone displayed little empathy for Wyndham in the face of allegations concerning its lack of data encryption, its failure to properly firewall its sensitive data, its use of default passwords and its anemic spending in cyber security. These claims were exacerbated by the multiple data breaches suffered by Wyndham in the previous years.
- Companies may face sanctions despite their victimization. The Third Circuit made it clear that although Wyndham was the victim of a criminal intrusion, the victimization of the company will not spare it from FTC scrutiny.
- Executives should consider the company’s D&O insurance, and its cyber insurance, and understand their coverage. D&O insurance and cyber insurance, which have been promoted in the wake of cyber shareholder suits and consumer class actions, may have limited application in the unfair business practice environment because insurance policies will often include an antitrust carve out. Companies should consider their insurance policies and understand the limits of their insurance coverage prior to a breach.