On August 24, in a highly anticipated decision, the United States Third Circuit Court of Appeals unanimously affirmed the district court's ruling in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission ("FTC") has the authority to regulate a company's data security practices under Section 5 of the FTC Act, which broadly prohibits "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a) ("Section 5"). In a precedent-setting victory for the FTC, the Third Circuit further held that Wyndham - after being victimized by several data breaches - had fair notice that its cybersecurity practices could fall short of Section 5's "unfairness" standard. The court's decision endorses the FTC as a key cybersecurity regulator and is instructive for companies subject to the FTC's enforcement authority.
Wyndham also argued that notwithstanding whether its conduct was unfair under Section 5, the FTC failed to provide fair notice of the specific cybersecurity standards the company was required to implement and follow. Wyndham specifically pointed out that there was no rule, adjudication or document meriting deference in which the FTC affirmatively declared that cybersecurity practices can be unfair. The Court rejected this argument, stating that the relevant inquiry was not "whether Wyndham had fair notice of the FTC's interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires." The Court ruled that Wyndham was not entitled to know with "ascertainable certainty" what the FTC's interpretation of the statute was or what cybersecurity practices are required by Section 5. The Court further pointed out that Section 5's requirement of a cost-benefit analysis should have been instructive. While the statute by no means offered clear guidance, the Third Circuit nonetheless stated that "[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute." The Court ultimately concluded that Wyndham did have fair notice of the meaning of Section 5 in the context of cybersecurity and data privacy, pointing in support of that finding to the allegations that Wyndham had suffered three separate breaches, that it had taken insufficient action to protect against and that the FTC had in fact published a guidebook providing a checklist of practices that form a "sound data security plan."
The Third Circuit's opinion is undoubtedly an important one in the realm of cybersecurity law. While the FTC has steadily increased its enforcement activities against companies with inadequate cybersecurity measures since 2005, this is the first major case to affirm its authority to do so. While by no means a mandate on what companies must do to avoid allegations of "unfair" or "deceptive" cybersecurity practices, the case provides useful guidance to companies on how they should implement and develop their cybersecurity practices and offers examples of unacceptable or deficient practices that companies should be aware of and ward against.