The Third Circuit interlocutory decision in Federal Trade Commission v. Wyndham Worldwide Corporation was widely reported as a big win for the Federal Trade Commission (“FTC”). But on closer examination, it was a split decision in which Wyndham Worldwide Corporation (“Wyndham”) can claim an important victory. While affirming the FTC’s authority to regulate cyber-security practices under the “unfair practices” prong of the Federal Trade Commission Act (the “FTC Act”), the Third Circuit also rejected the FTC’s contention that FTC settlements and consent orders in cyber-security cases with unrelated parties have created standards against which Wyndham’s practices can be tested for “unfairness.” This Third Circuit decision identifies defenses companies should develop when facing FTC allegations that the company’s cyber-security practices are “unfair.”
The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). Since 2005, the FTC has relied on the unfairness prong of the FTC Act to bring administrative actions against companies alleging unfair practices based upon companies’ failures to protect consumer data against hackers. Many of these actions have ended in settlements in which the companies agree to modify cyber-security practices and submit to FTC supervision of their cyber-security practices for many years.
Although the FTC won before the Third Circuit on the threshold questions of whether the FTC has authority to regulate cyber-security as an “unfair practice,” Wyndham successfully challenged the FTC’s efforts to transform the cyber-security settlements that the FTC has obtained over the past 10 years into a checklist of required cyber-security practices upon which the FTC can base unfairness enforcement actions.
Specifically, the Third Circuit stated the following: “We agree with Wyndham that the consent orders, which admit no liability and which focus on prospective requirements on the defendant, were of little use to it in trying to understand the specific requirements imposed by § 45(a).” (Footnote 22)
Further commenting on this issue, the Third Circuit stated: “We recognize it may be unfair to expect private parties back in 2008 [the time period relevant to the claims against Wyndham] to have examined FTC complaints or consent decrees. Indeed, these may not be the kinds of legal documents they typically consulted.” (Footnote 23)
At this point, the FTC’s allegations have merely survived a motion to dismiss on the pleadings. In order to prevail in its unfairness claim against Wyndham, the FTC will have to prove the elements applicable to an unfairness claim. Specifically, the FTC will have to show, at a minimum, that Wyndham’s cyber-security practices in effect during the relevant time period:
- caused or are likely to cause substantial injury;
- that this injury is not reasonably avoidable by consumers themselves; and
- that this injury is not outweighed by countervailing benefits to consumers or to competition.
15 U.S.C. § 45(n)
The Third Circuit found that proving the three elements identified above may not be sufficient to establish unfairness liability and that there may be other considerations that are relevant based on the facts of a particular case. At any trial, Wyndham will have the ability not just to challenge the accuracy of the allegations made in the FTC’s complaint, but also to identify any other facts that undermine the FTC’s claim that Wyndham’s security practices were unfair to consumers. Furthermore, the FTC cannot meet its burden of proving unfairness by simply identifying instances where Wyndham failed to comply with standards set forth in settlements that the FTC reached with other parties. As the Third Circuit opinion also makes clear, the FTC must show “substantial injury” to consumers in order to prevail. In making this showing, the FTC cannot merely rely on evidence of consumer inconvenience as a result of a data security breach.
For companies facing FTC challenges to their cyber-security practices as unfair, the lesson here is clear. Do not concede that your company has engaged in an unfair practice merely because the company failed to comply with a requirement in a settlement agreement between the FTC and an unrelated third party. Every company is different when it comes to the cyber-security exposures it faces, and the decision of a company to not adopt a specific cyber-security measure may be justified based on the specific nature of the cyber-security risks it faces, or the fact that it has adopted alternate measures that are as good as or better than the cyber-security practices that the FTC advocates. Finally, companies should hold the FTC to its heavy burden of proving that alleged lapses in security practices caused substantial injury to consumers, and not mere inconvenience.