Section 5 of the Federal Trade Commission Act (the “FTC Act”) has long provided the FTC with enforcement authority over any “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce”. The FTC historically has used such authority to regulate, investigate and prosecute alleged violations in regards to deceptive advertising, the Equal Credit Opportunity Act, and antitrust matters, to name a few. Based upon a recent decision by the U.S. Court of Appeals for the Third Circuit (the “Third Circuit”), the FTC now can add cybersecurity to its list of regulated activities.
In moving to dismiss the FTC complaint, Wyndham argued, among other things, that the FTC Act did not grant the FTC authority to regulate cybersecurity policies and procedures. In April 2014, the U.S. District Court for the District of Arizona denied Wyndham’s motion to dismiss, and ruled that Section 5 does grant the FTC authority to regulate cybersecurity. Wyndham appealed the District Court’s decision to the Third Circuit. On August 24, 2015, the Third Circuit affirmed the District Court’s decision in full, and agreed that Section 5 of the FTC Act does grant the FTC authority to regulate cybersecurity.
The issue of cybersecurity certainly is not new to those who operate in the payments industry, and the seemingly daily announcements of major cyber-attacks has pushed the issue to “above the fold” status. While it is always risky to attempt to prognosticate about technology, Willie Sutton’s logic about money leads one to reasonably assume that the threat of cyber-attack only will increase in the foreseeable future. The FTC’s aggressive play into the arena, and the Third Circuit’s unsurprising deference, suggests that federal regulators intend to play an active role in prodding companies to increase their cybersecurity.