25 August 2015
On August 24, 2015, the US Court of Appeals for the Third Circuit released its opinion in the closely watched case of Federal Trade Commission v. Wyndham Worldwide Corp., holding that the Federal Trade Commission (FTC) has the authority under the “unfairness” provision of Section 5 of the FTC Act to assert claims against Wyndham for failure to implement certain cybersecurity safeguards that allegedly resulted in three data breaches over several years.
In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham’s corporate computer systems and stole credit card numbers. The FTC brought an enforcement action in federal court in New Jersey, asserting (among other things) that Wyndham’s allegedly inadequate cybersecurity was “unfair” in violation of the FTC Act.
Wyndham moved to dismiss the complaint on various grounds, including that the FTC lacked authority to regulate cybersecurity through the FTC Act’s “unfairness” prohibition. It also argued that the FTC had not provided notice of the cybersecurity standards it purported to enforce. Although denying the motion to dismiss, the district court certified (and the Third Circuit accepted) two questions for interlocutory review: (1) whether the FTC has the authority under Section 5 of the FTC Act to pursue an unfairness claim for allegedly inadequate cybersecurity; and (2) whether Wyndham had fair notice that its specific cybersecurity practices could be declared “unfair” under the Act.
The Third Circuit first considered Wyndham’s argument that the FTC had failed to plead “unfair” practices within the plain meaning of that term. Relying on the specific allegations made by the FTC, the Court rejected Wyndham’s arguments, concluding in part that the FTC’s allegations would meet even the standards Wyndham had proposed for interpreting the term “unfair.”
Next, the Court of Appeals considered Wyndham’s argument that the FTC Act should not be construed to permit regulation of cybersecurity given Congress’ more recent passage of industry-specific statutes mandating the creation of data security requirements (such as the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, and the like). The court concluded that this later legislation did not conflict with the FTC Act, nor was the enactment of those statutes “inexplicable” in light of the FTC’s asserted authority under the FTC Act. In addition, the court concluded that the FTC’s push for additional statutory authority to regulate cybersecurity did not imply that it lacked the authority it asserted in this case.
Finally, the Third Circuit considered Wyndham’s argument that it lacked notice of what specific cybersecurity practices were necessary to avoid liability. The court concluded that, because the court was interpreting the FTC Act itself in the first instance rather than the FTC’s own interpretation of the Act or a regulation implementing the Act, Wyndham was entitled only to “fair notice of what the statute itself requires,” not “ascertainable certainty” of “the FTC’s interpretation of the statute.” The Court of Appeals found the former standard satisfied here, in large part based upon a comparison of the types of cybersecurity claims that the FTC had brought against other defendants in earlier cases to the types of claims the FTC is asserting against Wyndham.
The Third Circuit’s opinion is likely to herald further FTC enforcement actions brought under the FTC Act’s “unfairness” provision. Likewise, the decision is likely to prompt further discussions in Congress of the use of FTC enforcement actions to set national cybersecurity policy in the absence of more specific Congressional direction. Businesses that hold consumers’ personally identifiable information consequently should continue to monitor FTC activity in this area as they consider their cybersecurity practices and policies in the face of substantial cyber threats.