Businesses (and their lawyers) nationwide were watching the 4th U.S. Circuit Court of Appeals to see whether the court would uphold Federal Trade Commission (FTC) authority to seek redress on behalf of consumers who were damaged by unfair and deceptive cybersecurity practices. The statutes giving the FTC its authority over unfair and deceptive trade practices — the Federal Trade Commission Act (FTCA) and the Privacy Act (TPA) — were both enacted well before the Internet was created. As such, defendants in FTC v. Ross, argued that the FTC lacked an express statutory mandate to redress cybersecurity problems. Civil Doc. No. 12-2340 (Fourth Cir. App. 2/25/14)
In FTC v. Ross, the FTC sued a marketing company and its executive team and cofounders, alleging unfair and deceptive trade practices in the marketing of its “WinFixer” malware detector and PC security software. The alleged unfair and deceptive acts included encouraging consumers to conduct a “system scan” that would locate and isolate viruses and other malware on the customer’s computer. In fact, no such system scan occurred. Instead, users were told that their computers were infected with malware and then were prompted to buy WinFixer software to get “the malware” off their machines. Adding insult to injury, once customers realized they were scammed, Innovative Marketing refused to refund their money.
After the FTC’s enforcement action most of the defendants settled and entered into consent decrees, which is the typical practice in FTC enforcement actions. Some did not defend at all and default judgments were entered against those defendants. Kristye Ross, Innovative Marketing’s vice president, took her case to trial. The trial court granted summary judgment on the issue of whether Innovative Marketing’s acts were deceptive — they were. Ross had a bench trial on the issue of her personal liability for the acts of the company under Section 5(a) of the FTCA. The trial court found Ross liable for unfair and deceptive trade practices and awarded equitable relief.
On appeal Ross argued that the FTC lacked the authority to bring an action against her personally because the FTCA does not expressly authorize consumer redress in cyber cases. The court of appeals noted that Ross’s position was accurate but not dispositive of the question. Instead, the court held, “Congress was aware of the court’s equitable jurisdiction to decide all relevant matters in dispute and to award complete relief,” and, as such, it authorized the FTC to go to court and seek equitable redress for unfair and deceptive trade practices.
FTC v. Ross is important not solely for its affirmation of FTC Section 5 authority in cybersecurity cases. The court of appeals also held that individuals who knowingly or recklessly commit unfair and deceptive practices can be held personally liable for those acts. The court rejected Ross’s argument that allowing individual liability would punish those persons who were merely carrying out their job duties with “enthusiasm.” Instead, the court stated:
Ross’s proposed standard would permit the Commission to pursue individuals only when they had actual awareness of specific deceptive practices and failed to act to stop the deception, i.e. a specific intent/subjective knowledge requirement; her proposal would effectively leave the Commission with the “futile gesture” of obtaining “an order directed to the lifeless entity of a corporation while exempting from its operation the living individuals who were responsible for the illegal practices.”
The court also noted that its position regarding individual liability put it in line with all of the other federal courts of appeals to consider the issue.
So what should businesses understand about Ross? First, that the 4th Circuit Court of Appeals has upheld the FTC’s authority to bring enforcement actions for computer-related unfair and deceptive trade practices, which aligns it with the majority rule among circuits to consider the issue. Second, individuals may also be liable for unfair and deceptive trade practices if they directly participated in the deceptive practices, or if the individual had or should have had knowledge of them.