The US Federal Trade Commission was again told it has the authority to regulate cybersecurity practices.
In a case spanning more than three years, a US Circuit Court of Appeals in Philadelphia unanimously upheld an April 2014 ruling in district court and clears the way for the FTC to pursue a lawsuit against hotel operator Wyndham Worldwide related to three cyber breaches in 2008 and 2009.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” FTC Chairwoman Edith Ramirez said in a statement. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The Third Circuit is the first major appellate court to weigh in on the issue of whether the FTC has authority to regulate corporate cybersecurity under Section 5 of the FTC Act.
“While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” Wyndham Worldwide said in a statement sent to Advisen. “It is important to note that today’s opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value.
“Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded.”
The appellate outcome was not necessarily surprising but sources agreed the issues involved in the case were worth clarifying.
“The appellate court’s decision today was somewhat expected. Reversing the decision upholding the FTC’s Section 5 authority to regulate data security practices would have created profound uncertainty in this space,” said Stuart A. Panensky. partner, Traub Lieberman Straus & Strewsberry. “The court took the safer course and upheld the agency’s authority.”
Eric S. Hochstadt, partner at Weil in New York, said companies can expect more FTC investigations, and a “fallout including higher costs following a cyber breach.”
“Future implications of this decision mean that policyholders’ defense and investigation response costs could increase,” added Scott Godes, partner in Barnes & Thornburg’s Washington DC office.
The actual allegations against Wyndham still need to be decided. The FTC claims Wyndham used no cybersecurity measures, such an encryption or firewalls, to protect consumers’ personal data.
The FTC filed a civil lawsuit in 2012 against Wyndham Worldwide and three subsidiaries for allegedly engaging in unfair and deceptive practices related to the protection of customer personal information. According to court documents, hackers stole payment card information from more than 619,000 consumers and caused at least $10.6 million in fraud loss.
Wyndham decided to take on the federal entity, filing a motion to dismiss the lawsuit and challenge FTC’s cybersecurity regulator authority. Other companies fined by the FTC have absorbed the costs as well as years of audits under settlements. A district court judge unequivocally ruled in favor of the FTC’s authority but certified its decision on the unfairness claim for an interlocutory appeal.
The appellate court brought up Wyndham’s citing of the dictionary definition of “unfair,” arguing a practice is only unfair if it is “not equitable” or is “marked by injustice, partiality or deception.”
“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” the court shot back.
Part of Wyndham’s argument centered on a contention the FTC had not given proper notice of cybersecurity regulations. “We have little trouble rejecting Wyndham’s fair notice claim,” said the appellate court in upholding the FTC’s interpretation of the unfair practices prong of the act.
Hochstadt said the court concluded that Wyndham did not need notice because it knows the statute, which courts have ruled does apply today in this scenario. And following multiple hacks and previous public enforcement proceedings (the FTC said there were five prior to Wyndham’s first cyberattack in 2008), Wyndham “should have realized the procedures it had in place could be found to be unfair,” he said. FTC’s alleges the hackers used the same methods in each cyberattack of Wyndham.
“Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute,” said the ruling.
Organizations can expect to face additional regulatory scrutiny following this latest ruling, said Roberta Anderson, partner in the Pittsburgh office of K&L Gates. She urges companies to make cybersecurity a priority.
“In addition to significantly decreasing the odds of a successful attack, solid cybersecurity will position an organization much better when regulators come calling in the wake of a breach event,” Anderson said.
Josh Gold, shareholder at Andrson Kill, agreed and added that companies are “playing it risky” if they do not take computer security seriously.
“The Third Circuit specifically held that ‘A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, [and] fails to make good on that promise by investing inadequate resources in cybersecurity,’” he said. “If you couple this ruling with the Seventh Circuit’s ruling on class action liability a few weeks ago, it appears there is a growing trend of court concern over cyber security efforts.
“I think the Third Circuit decision is also a warning that if a company is going to say anything affirmative about the computer security it employs, such assurances are likely to be heavily scrutinized.”
Godes said policyholders should use the opportunity to evaluate their insurance programs and “consider how their insurance policies would provide coverage for an investigation by or a lawsuit with the FTC.”
Wyndham said protecting customers’ personal information “remains a top priority for our company.” The company adds that the rise in the frequency and severity of cyberattacks encourages partnerships. “We believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries,” Wyndham said.
ALSO READ: The FTC: What you need to know about one of the most relentless federal cyber regulators