Decisions have been made regarding the FTC’s cybersecurity authority…
In a precedential decision, the Third Circuit Cmorourt of Appeals recently affirmed the cybersecurity authority of the Federal Trade Commission (FTC) to hold businesses liable for data breaches under Section 5 of the FTC Act.
The Facts of the Case
During 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s computer network on three separate occasions. In total, they stole personal and financial information for hundreds of thousands of consumers, which resulted in more than $10.6 million dollars in fraudulent charges.
In recent years, the FTC has been increasingly bringing administrative actions under Section 5 of the FTC Act against companies that suffered data breaches due to allegedly deficient cybersecurity. The statute prohibits “unfair or deceptive acts or practices in or affecting commerce.”
In FTC v. Wyndham Worldwide Corporation, the FTC alleged that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The FTC specifically maintained that contrary to Wyndham’s stated data privacy and security policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
In defense of the suit, Wyndham argued that the FTC lacked the authority to regulate cybersecurity under the FTC Act. It further argued that Wyndham did not have fair notice that its specific cybersecurity practices could fall short of the statute’s requirements.
The Court’s Decision
With regard to whether Wyndham’s conduct was unfair, the appeals court rejected Wyndham’s defenses. According to the Third Circuit, there was little merit to Wyndham’s argument that a practice is only unfair if it is “not equitable” or “marked by injustice, partiality, or deception.” The appeals court further held that agreeing upon a precise definition did not really matter in this case.
As further explained in the opinion, “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”
The Third Circuit also rejected Wyndham’s fair notice claim, concluding that Wyndham had fair notice that its conduct could fall within the meaning of the FTC Act. In reaching its decision, the court noted that the FTC published a guidebook for businesses in 2007 regarding best practices for protecting confidential consumer data. “The guidebook does not state that any particular practice is required by § 45(a), but it does counsel against many of the specific practices alleged here,” the panel highlighted.
The appeals court also noted that the FTC filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity prior to the company’s data breach. More importantly, the documents were all published via the FTC website or the Federal Register.
The Message for Businesses
In light of the decision, businesses should take the FTC seriously when it comes to cybersecurity. In particular, it is imperative to ensure that a company’s stated data protection policies and cybersecurity procedures are faithfully executed. In the case of Wyndham, one of its biggest mistakes was promising consumers one thing and doing another.
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
Commercial Zoning: What Every Business Owner Needs to Know
If you operate a business, you need to understand how commercial zoning rules may impact you. For instance, zoning regulations can determine how you can develop a property and what type of activities your business can conduct. To ensure that you aren’t taken by surprise, it is always a good idea to consult with experienced […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
The FTC Cybersecurity Authority Is Affirmed By The Third Circuit
Author: Scarinci Hollenbeck, LLC
Decisions have been made regarding the FTC’s cybersecurity authority…
In a precedential decision, the Third Circuit Cmorourt of Appeals recently affirmed the cybersecurity authority of the Federal Trade Commission (FTC) to hold businesses liable for data breaches under Section 5 of the FTC Act.
The Facts of the Case
During 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s computer network on three separate occasions. In total, they stole personal and financial information for hundreds of thousands of consumers, which resulted in more than $10.6 million dollars in fraudulent charges.
In recent years, the FTC has been increasingly bringing administrative actions under Section 5 of the FTC Act against companies that suffered data breaches due to allegedly deficient cybersecurity. The statute prohibits “unfair or deceptive acts or practices in or affecting commerce.”
In FTC v. Wyndham Worldwide Corporation, the FTC alleged that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The FTC specifically maintained that contrary to Wyndham’s stated data privacy and security policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
In defense of the suit, Wyndham argued that the FTC lacked the authority to regulate cybersecurity under the FTC Act. It further argued that Wyndham did not have fair notice that its specific cybersecurity practices could fall short of the statute’s requirements.
The Court’s Decision
With regard to whether Wyndham’s conduct was unfair, the appeals court rejected Wyndham’s defenses. According to the Third Circuit, there was little merit to Wyndham’s argument that a practice is only unfair if it is “not equitable” or “marked by injustice, partiality, or deception.” The appeals court further held that agreeing upon a precise definition did not really matter in this case.
As further explained in the opinion, “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”
The Third Circuit also rejected Wyndham’s fair notice claim, concluding that Wyndham had fair notice that its conduct could fall within the meaning of the FTC Act. In reaching its decision, the court noted that the FTC published a guidebook for businesses in 2007 regarding best practices for protecting confidential consumer data. “The guidebook does not state that any particular practice is required by § 45(a), but it does counsel against many of the specific practices alleged here,” the panel highlighted.
The appeals court also noted that the FTC filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity prior to the company’s data breach. More importantly, the documents were all published via the FTC website or the Federal Register.
The Message for Businesses
In light of the decision, businesses should take the FTC seriously when it comes to cybersecurity. In particular, it is imperative to ensure that a company’s stated data protection policies and cybersecurity procedures are faithfully executed. In the case of Wyndham, one of its biggest mistakes was promising consumers one thing and doing another.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
