The US Court of Appeals for the Third Circuit recently issued a ruling in favor of the Federal Trade Commission (FTC) in FTC v. Wyndham Worldwide Corporation in which the court found that the FTC has the authority to regulate cybersecurity under the unfairness prong of the FTC Act.
Regarding Wyndham’s fair notice argument, the court concluded that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity standards are required by §45(a). Instead, the relevant question was whether Wyndham had fair notice that its conduct could fall within the fair meaning of the statute. The Third Circuit rejected Wyndham’s fair notice challenge, stating that the relevant rule is not so vague as to be no rule or standard at all. Further, the court stated that in 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Businesses, which describes a checklist of practices that form a “sound data security plan.” The court stated that the guidebook could have helped Wyndham determine in advance that its conduct might not survive a standard cost-benefit analysis of investing in stronger cybersecurity protections given the probability and the size of harm to customers.
Although the FTC has been bringing administrative actions under §45(a) against companies with allegedly deficient cybersecurity standards since 2005, the vast majority of such cases ended in settlements and consent orders. The Third Circuit notes that, although the consent orders focus on prospective conduct and are “of little use” in understanding the specific requirements of §45(a), the FTC’s complaints in these actions paint a picture of security practices that the FTC deems violative of the statute.