On August 24, 2015, the Third Circuit released its long awaited opinion in Federal Trade Commission v. Wyndham Worldwide Corp., et al., Case No. 14-3514, and affirmed a District Court’s finding that the Federal Trade Commission (the “FTC”) has authority to regulate cybersecurity under the “unfairness” prong of section 45(a) of the Federal Trade Commission Act. The ruling solidifies the FTC’s regulatory authority to pursue companies for failure to adequately secure customer and consumer data. The Court rejected Wyndham’s arguments that (a) unfair conduct necessarily required unscrupulous or unethical behavior; (b) unfair conduct required that the conduct be “marked by injustice, partiality, or deception”; and (c) that Wyndham could not be found to have engaged in unfair conduct where it itself was the victim of a crime. The Court also held that subsequent statutes, particularly the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, and recent amendments to the Fair Credit Reporting Act, did not operate to exclude general regulatory authority over cybersecurity issues by the FTC.
The implications of the holding will only become apparent with time. Indeed, the FTC has brought complaints and entered into consent decrees since at least 2005 concerning cybersecurity failures, focusing on particularly egregious failures. Thus, the FTC has assumed this authority all along. Now the FTC is on surer ground than ever before, however, and given the nationwide, mainstream reportage on high profile breaches like the Sony and Ashley Madison hacks, it is fair to expect a more vigorous approach from the FTC going forward.