Section 5 of the Federal Trade Commission Act (the “FTC Act”) has long provided the FTC with enforcement authority over any “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce”.  The FTC historically has used such authority to regulate, investigate and prosecute alleged violations in regards to deceptive advertising, the Equal Credit Opportunity Act, and antitrust matters, to name a few.  Based upon a recent decision by the U.S. Court of Appeals for the Third Circuit (the “Third Circuit”), the FTC now can add cybersecurity to its list of regulated activities.

Beginning in 2005, the FTC began bringing administrative actions under Section 5 of the FTC Act against companies with alleged deficient cybersecurity systems.  As noted in the Third Circuit’s decision, the “vast majority of these cases ended in settlement”.  In June 2012, the FTC filed a lawsuit in the District Court for the District of Arizona (the “District Court”) against Wyndham Worldwide Corporation (“Wyndham”), the international hotel chain, alleging that (1) Wyndham’s data-security practices were “unfair” because they lacked certain security protections, and (2) Wyndham’s privacy policy was “deceptive” because it inaccurately represented the scope of the company’s security measures.  The lawsuit resulted from three separate data breaches of Wyndham’s computer systems, which exposed consumers credit and debit cards to a total of $10.6 million of fraudulent charges.

In moving to dismiss the FTC complaint, Wyndham argued, among other things, that the FTC Act did not grant the FTC authority to regulate cybersecurity policies and procedures.  In April 2014, the U.S. District Court for the District of Arizona denied Wyndham’s motion to dismiss, and ruled that Section 5 does grant the FTC authority to regulate cybersecurity.  Wyndham appealed the District Court’s decision to the Third Circuit.  On August 24, 2015, the Third Circuit affirmed the District Court’s decision in full, and agreed that Section 5 of the FTC Act does grant the FTC authority to regulate cybersecurity.

The issue of cybersecurity certainly is not new to those who operate in the payments industry, and the seemingly daily announcements of major cyber-attacks has pushed the issue to “above the fold” status.  While it is always risky to attempt to prognosticate about technology, Willie Sutton’s logic about money leads one to reasonably assume that the threat of cyber-attack only will increase in the foreseeable future.  The FTC’s aggressive play into the arena, and the Third Circuit’s unsurprising deference, suggests that federal regulators intend to play an active role in prodding companies to increase their cybersecurity.