In a case questioning whether the FTC has authority to police companies’ cybersecurity practices, the Third Circuit Court of Appeals has held that Wyndham Worldwide Corp. must face a suit in which it’s accused of failing to secure it computers from Russian hackers. The 3-0 decision by the Third circuit upheld an April 2014 lower court ruling allowing the case to go forward. In the case, the FTC seeks to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole personal information, including credit card numbers, from more than 619,000 consumers. The stolen information led to over $10.6 million in fraudulent charges.
In its opinion, the Third Circuit sounded a resounding victory for the FTC. First, the Third Circuit determined there was ample legal authority for the FTC to address cybersecurity practices as unfair under 15 U.S.C. § 45(a). The Third Circuit was not persuaded that Wyndham’s alleged failure to protect consumers’ personal information from hackers fell outside the plain meaning of unfair. Wyndham then argued that even if cybersecurity was covered by § 45(a) as initially enacted, three subsequent legislative acts reshaped § 45(a)’s meaning to exclude cybersecurity. The Third Circuit disagreed, concluding “that the FTC later brought unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm is not inconsistent with the agency’s earlier position.”
Having rejected Wyndham’s arguments that its failure to protect consumer personal information against hackers could not amount to an unfair business practice, the Third Circuit turned to the question of fair notice. There, Wyndham claimed that, notwithstanding whether its failure to protect consumer personal information against hackers was unfair under § 45(a), the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow. The Third Circuit concluded that “Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of the what cybersecurity practices are required by § 45(a).” In the Third Circuit’s mind, the question was whether Wyndham had fair notice that its failure to protect consumer personal information against hackers fell within the meaning of § 45(a). The Third Circuit left the question of whether Wyndham was entitled to know the FTC’s interpretation of cybersecurity practices for a later time in the case.
Turning to the question of whether Wyndham was given fair notice, the Third Circuit determined that Wyndham did not meaningfully raise the issue of fair notice, instead raising the issue of whether Wyndham was entitled to know with ascertainable certainty the FTC’s interpretation of the what cybersecurity practices are required by § 45(a). Furthermore, the Third Circuit found that the FTC’s prior actions in respect to various consent decrees gave Wyndham ample notice of what constituted an inadequate program of cybersecurity, and in dicta, some indication of adequate practices as it relates to cybersecurity.
FTC Chairwoman Edith Ramirez welcomed the Third Circuit’s decision with open arms. In a statement, Ms. Ramirez said, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Even in light of the Third Circuit’s opinion, Wyndham isn’t convinced the FTC has the authority to act as the nation’s cybersecurity watchdog. Michael Valentino, vice president of marketing and communications for Wyndham said in a statement:
While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. It is important to note that today’s opinion was decided based solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded. Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.
The Third’s Circuit’s opinion in the Wyndham matter is very likely to be the most significant cybersecurity decision this year, and one that will have a real impact in the near future. The opinion carries several significant implications, including: 1) those companies currently subject to the FTC’s consumer’s protection authority are now subject to the FTC’s newly affirmed cybersecurity regulation authority; 2) the FTC does not have to define what entails adequate cybersecurity by rule or regulation or guidance – and instead may provide notice of what the law requires through its enforcement process; 3) whatever the standard for adequate cybersecurity turns out to be, it is now the minimum threshold for that companies must follow; and 4) as a corollary, the minimum standard, whatever it turns out to be, will also be the maximum threshold that companies must meet to stave off litigation with the FTC.
While the FTC has won the day at this stage of the litigation, as noted, Wyndham intends to fight the battle over the FTC’s authority to regulate cybersecurity. The answer to the questions addressed by the lower district court and the Third Circuit may change after the discovery process plays out. However, for now, the FTC is the nation’s de facto cybersecurity watchdog, and companies experiencing security breaches may feel the power of the FTC’s new enforcement sword.