The FTC Cybersecurity Authority Is Affirmed By The Third Circuit

Decisions have been made regarding the FTC’s cybersecurity authority…

In a precedential decision, the Third Circuit Cmorourt of Appeals recently affirmed the cybersecurity authority of the Federal Trade Commission (FTC) to hold businesses liable for data breaches under Section 5 of the FTC Act.

The Facts of the Case

During 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s computer network on three separate occasions. In total, they stole personal and financial information for hundreds of thousands of consumers, which resulted in more than $10.6 million dollars in fraudulent charges.

In recent years, the FTC has been increasingly bringing administrative actions under Section 5 of the FTC Act against companies that suffered data breaches due to allegedly deficient cybersecurity. The statute prohibits “unfair or deceptive acts or practices in or affecting commerce.”

In FTC v. Wyndham Worldwide Corporation, the FTC alleged that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The FTC specifically maintained that contrary to Wyndham’s stated data privacy and security policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

In defense of the suit, Wyndham argued that the FTC lacked the authority to regulate cybersecurity under the FTC Act. It further argued that Wyndham did not have fair notice that its specific cybersecurity practices could fall short of the statute’s requirements.

The Court’s Decision

With regard to whether Wyndham’s conduct was unfair, the appeals court rejected Wyndham’s defenses. According to the Third Circuit, there was little merit to Wyndham’s argument that a practice is only unfair if it is “not equitable” or “marked by injustice, partiality, or deception.” The appeals court further held that agreeing upon a precise definition did not really matter in this case.

As further explained in the opinion, “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Third Circuit also rejected Wyndham’s fair notice claim, concluding that Wyndham had fair notice that its conduct could fall within the meaning of the FTC Act. In reaching its decision, the court noted that the FTC published a guidebook for businesses in 2007 regarding best practices for protecting confidential consumer data. “The guidebook does not state that any particular practice is required by § 45(a), but it does counsel against many of the specific practices alleged here,” the panel highlighted.

The appeals court also noted that the FTC filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity prior to the company’s data breach. More importantly, the documents were all published via the FTC website or the Federal Register.

The Message for Businesses

In light of the decision, businesses should take the FTC seriously when it comes to cybersecurity. In particular, it is imperative to ensure that a company’s stated data protection policies and cybersecurity procedures are faithfully executed. In the case of Wyndham, one of its biggest mistakes was promising consumers one thing and doing another.