In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.
In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards. After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.” The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices. On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.
This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act. Since 2005, the FTC has settled 53 cases against companies related to data security. Wyndham is one of two companies to challenge the FTC’s authority in this area. The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.
In 2008 and 2009, according to the FTC’s complaint, Russian hackers penetrated Wyndham’s computer systems three times and stole confidential information used to ring up false charges of more than $10 million. In the wake of these attacks, the FTC investigated and charged that Wyndham’s data security practices, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Among other things, the FTC alleged in its complaint that Wyndham failed to maintain an inventory of all computers connected to its network and failed to conduct security investigations to detect unauthorized access.
The district court denied Wyndham’s motion to dismiss the claims under both theories. On appeal, Wyndham challenged the FTC’s jurisdiction to bring charges against companies for their data security practices because more targeted Congressional actions, such as the Gramm-Leach-Bliley Act, requiring the FTC to establish standards for financial institutions to protect consumer’s personal information, precluded the agency from doing so. Wyndham also argued that the FTC was required to provide “fair notice” before commencing an enforcement action by publishing rules or regulations spelling out what it considered reasonable security standards.
The Third Circuit rejected these arguments, ruling that the unfairness prong of Section 5 granted the FTC broad authority to bring enforcement actions against companies for their data security practices, and that it was not required to publish specific rules or guidance on reasonable security standards in order to provide fair notice of what the Agency expected from the private sector in this regard.
Shortly after the ruling, FTC Chairwoman Edith Ramirez issued a statement noting that the court’s ruling “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”