The number and scale of cyber attacks on US corporations has outpaced the development of regulations and methods to enforce such regulations. To date, it has been relatively unclear whether cyber security would be governed by the Federal Trade Commission Act, the Fair Credit Reporting Act, the Stored Communications Act or laws found in various states around the country.
We now have more clarity on this issue.
On August 24 the US Court of Appeals for the Third Circuit issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514, holding that the FTC has the authority to regulate cybersecurity for American corporations and businesses. In particular, the Third Circuit held that the FTC can bring an unfairness claim involving data security under the Federal Trade Commission Act of 1914 and US businesses have sufficient notice of regulations giving rise to an unfairness claim under the Act.
The Wyndham Breaches
Wyndham, a company that franchises and manages hotels, suffered three data breaches in 2008 and 2009 caused by separate hacker attacks on Wyndham’s computer networks. The hackers stole credit card information and other personal information from over 600,000 of Wyndham’s customers. The attacks resulted in a loss of at least $10.6 million related to the fraud.
The FTC Action
In initiating its action, the FTC alleged Wyndham “engaged in unfair cybersecurity practices that, ‘taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.’” The FTC also claimed Wyndham failed to use proper security measures to protect customers’ data, including encryption of valuable customer financial data.
The FTC originally filed suit in the District Court in Arizona claiming Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. § 45(a). The case was ultimately transferred to the District Court in New Jersey. Once it was transferred, Wyndham filed a motion to dismiss on the unfair practice and deceptive practice claims. The District Court denied the motion to dismiss and certified its decision for interlocutory appeal.
The FTC Had Authority Under The Federal Trade Commission Act of 1914
The threshold question on appeal was whether the FTC could bring an administrative action against companies under the FTC Act based on allegations of deficient cybersecurity measures to protect consumers against hackers. Based on various amendments through the years, a violation of the FTC Act has developed to require “substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition.” In its complaint, the FTC alleged Wyndham’s failure to implement proper safeguards was in violation of the FTC Act. And, the Third Circuit agreed with the FTC.
In general, the Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The Third Circuit first analyzed the meaning of “unfairness” as used in the Act. Wyndham argued that the FTC could not bring an action against it because the FTC’s allegations failed to meet the requirements of “unfairness” under the Act. The Third Circuit rejected Wyndham’s argument when it held: “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing adequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
Also on this point, Wyndham took the position that the FTC failed to meet this requirement because a “business ‘does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.’” The Third Circuit was not persuaded by Wyndham and opined that the second and third breaches were foreseeable to Wyndham after it suffered the first attack and, therefore, the FTC could survive Wyndham’s motion to dismiss.
Wyndham Had Proper Notice Of The Cybersecurity Standards Corporations Were Required To Follow Under the FTC Act
Wyndham also argues that it did not receive proper notice that the FTC was interpreting the Act to include lax cybersecurity measures as a violation. (“The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.”) In rejecting Wyndham’s argument, the Third Circuit framed the issue on appeal as follows:
…Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.
The Third Circuit held “[a]s a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not the agency’s interpretation of the statute.” Further, the Third Circuit found Wyndham’s argument that it “lacked notice of what specific cybersecurity practices are necessary to avoid liability” lacked merit when Wyndham had been attacked three times. (“At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.”)
Implications of The Wyndham Decision
The FTC’s Chairwomen, Edith Ramirez, has already issued a statement concerning the Wyndham decision that “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Consequently, based on the reasoning of the Wyndham decision, corporations are going to have difficulty taking the position that they were somehow unaware of the importance of cybersecurity. Further, now that it is FTC is taking the lead in enforcing cybersecurity measures, US corporations should expect the FTC to provide clear guidance on what is expected to safeguard data.