08.26.2015

|

Updates

Since at least 2005, the Federal Trade Commission has asserted that it may regulate lax data security practices as an “unfair” business practice under Section 5 of the FTC Act. The Wyndham hotel chain was the first to challenge this authority in court. In a highly anticipated opinion, the U.S. Court of Appeals for the Third Circuit resoundingly agreed with the FTC that a failure to implement reasonable data security measures may constitute an unfair business practice under Section 5. See FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015). With the FTC’s authority in this field now more firmly established, the agency can be expected to pursue more aggressively those companies it believes have failed to reasonably secure consumer information.

Below, we summarize the key aspects of the Third Circuit’s reasoning and then discuss the future implications of the decision for companies.

Background

The FTC sued Wyndham after a series of security breaches at the Wyndham hotel chain. Intruders penetrated Wyndham’s computer network on three occasions between 2008 and 2010 and stole payment card information for more than 600,000 consumers. The FTC charged that the first two breaches revealed a number of significant security lapses, but, even with that knowledge, corrective measures were not taken and further infiltrations of Wyndham’s network ensued. The FTC alleged that Wyndham’s failure to implement appropriate data security measures was both unfair and deceptive under Section 5 of the FTC Act. See 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”).

Wyndham moved to dismiss the FTC’s complaint and the district court denied Wyndham’s motion to dismiss. See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014). (For a full description of the district court’s reasoning and result, see our previous update on the case.)

Wyndham appealed the district court’s denial of its motion to dismiss, and the Third Circuit granted Wyndham’s request for interlocutory review of two questions.

The Third Circuit’s Reasoning

1. Existence of Unfairness Authority

The first question on which the Third Circuit granted review was “whether the FTC has authority to regulate cybersecurity under the unfairness prong of” Section 5 of the FTC Act. Slip op. at 6-7.

Wyndham argued that the data security lapses alleged by the FTC did not amount to an unfair business practice for several reasons, each of which the Third Circuit rejected:

  • Wyndham’s Status as Victim Not Relevant. Wyndham argued that its alleged misconduct was not “unfair” because Wyndham did not act “unscrupulously” or “unethically,” and because Wyndham itself was victimized by the hackers. The Third Circuit disagreed both because the Supreme Court has held that unfair conduct need not be unscrupulous and because there was no authority for Wyndham’s view that its own harms immunized it against liability for harms it caused to others. Id. at 19-20.
  • Third Circuit Not Impressed by Wyndham’s Parade of Horribles. Wyndham argued that “if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to regulate the locks on hotel room doors, to require every store in the land to post an armed guard at the door,” and to sue supermarkets that are “sloppy about sweeping up banana peels.” Id. at 20 (internal quotation marks, citations and alterations omitted). The Third Circuit dismissed that argument as “alarmist to say the least” and observed that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.” Id.
  • Congressional Adoption of Data Privacy Statutes in Specific Areas Does Not Mean the FTC Lacks General Data Security Authority Under Section 5. Wyndham argued that Congress lacked a reason to pass data security requirements in laws such as the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act if the FTC already had authority over cybersecurity under Section 5. The Third Circuit disagreed, reasoning that Congress could have enacted the more recent statutes to give the FTC power to adopt data security regulations—power that it lacked under Section 5.
  • The FTC Has Not Disclaimed Unfairness Authority Over Data Security. Wyndham argued that the FTC had disavowed any authority to regulate cybersecurity as an unfair practice by, at various points in time, asking Congress to enact general privacy and data security laws. The Third Circuit rejected Wyndham’s argument, holding that the agency had not in fact conceded that its Section 5 unfairness authority did not extend to data security practices.

2. Fair Notice

The second question on which the Third Circuit granted review was “whether Wyndham had fair notice its specific cybersecurity practices could fall short of [the unfairness standard]” as required by due process. Slip op. at 6-7.

Wyndham argued that, even if the FTC has authority to regulate data security, the FTC did not provide adequate notice of the standards with which companies like Wyndham must comply.

The Third Circuit held that because the courts, rather than the FTC, are the arbiters of what constitutes an unfair practice under Section 5, Wyndham was entitled only to fair notice of what Section 5 requires—not what the FTC thinks Section 5 requires. See id. at 35. The Third Circuit further held that Wyndham had more than adequate notice of what the statute requires because the FTC Act makes clear that “the relevant inquiry . . . is a cost-benefit analysis.” Id. at 39. And here, reasoned the Third Circuit, Wyndham surely could have foreseen that its data security practices might fail that test—at least after Wyndham’s system was initially infiltrated. See id. at 41 (“[C]ertainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.”).

Implications of the Third Circuit’s Decision

The Wyndham decision is no doubt a major victory for the FTC. While Wyndham may seek Supreme Court review of the Third Circuit’s ruling, and while the FTC faces similar arguments in a pending administrative action against LabMD, the Third Circuit’s ruling is a strong affirmance of the FTC's authority to require companies that hold consumer data to implement reasonable data security practices.

What Data Security Practices Are Reasonable? Proceedings on remand in the Wyndham case, and investigations of other companies by the FTC, now will likely focus in more detail on what data security practices are reasonable. The Third Circuit was careful to emphasize that its opinion was not a ruling on the merits of whether any particular practices are required and that Wyndham might still prevail at a later stage. At the same time, the Third Circuit had “little trouble” rejecting Wyndham’s argument that it was entitled to know in advance of FTC enforcement what specific data security standards it must follow. Id. at 38. So how is a company that wants to steer clear of enforcement or FTC interest to know what practices are “reasonable” under Section 5? At present, there are several sources to which a company can look:

  • Legal Test: Cost-Benefit Analysis. The Third Circuit stated “that the relevant inquiry here is a cost-benefit analysis that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” Id. at 39-40 (citations omitted). This is the test from unfairness cases generally, not specific to the data security context. But the Third Circuit offered little guidance as to how that test should be applied in specific cases, and it acknowledged that “there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold.” Id. at 40.
  • Prior FTC Consent Orders. The FTC argued in Wyndham that its own consent orders, even though they are settlements with one company, provide guidance to industry. The FTC recently summarized its data security complaints by the type of practice at issue in a pamphlet that is a good starting point for companies seeking to avoid a charge of unfairness under Section 5. See Fed. Trade Comm’n, Start with Security: A Guide for Business (June 30, 2015).
  • The FTC’s Complaint Against Wyndham. The Third Circuit did not specifically address whether the allegations in the FTC’s complaint stated a claim against Wyndham. Slip op. at 7 n.1. It did, however, take pains to point out that Wyndham’s conduct seemed egregious and that the FTC made several specific allegations about the shortcomings of Wyndham’s cybersecurity efforts, including “that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.” Id. at 40 (citations omitted).
  • Legal Advice. Companies should also seek legal advice as to whether their specific data security practices measure up to FTC “precedents” and guidance.
  • Third-Party Assessments. Data security auditors can evaluate and compare whether a company’s practices meet industry standards.

Analysis of Reasonableness of Data Security Practices Not Entirely New. The Third Circuit’s opinion relates only to the FTC’s unfairness authority. Many of the FTC’s data security consent orders are premised on its deception authority, not challenged by Wyndham. Wyndham’s privacy policy said, among other things, that “[w]e safeguard our Customers’ personally identifiable information by using industry standard practices” and trumpeted Wyndham’s use of “a variety of different security measures designed to protect personally identifiable information.” Slip op. at 9. In responding to FTC inquiries, companies have addressed for years whether their specific data security practices met similar standards stated in their privacy policies or other representations to consumers, including whether they were “reasonable” when that was the stated standard. Thus, while the Third Circuit’s decision may shift the FTC’s focus toward the unfairness framework, which can be asserted even in the absence of allegedly deceptive representations about security such as Wyndham’s, as a practical matter the analysis of data security practices suggested by the Third Circuit opinion is not entirely new.

© 2015 Perkins Coie LLP

 

Sign up for the latest legal news and insights  >