The number and scale of cyber attacks on U.S. corporations has outpaced the development of regulations and methods to enforce such regulations. To date, it has been relatively unclear whether cybersecurity would be governed by the Federal Trade Commission (FTC) Act, the Fair Credit Reporting Act, the Stored Communications Act or laws found in various states around the country. Because of the decision issued by the U.S. Court of Appeals for the 3rd Circuit in Federal Trade Commission v. Wyndham Worldwide Corp., we now have more clarity on this issue.
On August 24, 2015, the 3rd Circuit held that the FTC has the authority to regulate cybersecurity for American corporations and businesses. In particular, the 3rd Circuit held that the FTC can bring an unfairness claim involving data security under the FTC Act of 1914 and U.S. businesses have sufficient notice of regulations giving rise to an unfairness claim under the Act.
Wyndham, a company that franchises and manages hotels, suffered three data breaches in 2008 and 2009 caused by separate hacker attacks on Wyndham’s computer networks. The hackers stole credit card information and other personal information from over 600,000 of Wyndham’s customers. The attacks resulted in a loss of at least $10.6 million related to the fraud.
In initiating its action, the FTC alleged Wyndham “engaged in unfair cybersecurity practices that, ‘taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.’” The FTC also claimed Wyndham failed to use proper security measures to protect customers’ data, including encryption of valuable customer financial data.
The FTC originally filed suit in a District Court in Arizona, claiming Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. § 45(a). The case was ultimately transferred to a District Court in New Jersey. Once it was transferred, Wyndham filed a motion to dismiss on the unfair practice and deceptive practice claims. The District Court denied the motion to dismiss and certified its decision for interlocutory appeal.
FTC had Authority Under FTC Act of 1914
The threshold question on appeal was whether the FTC could bring an administrative action against companies under the FTC Act based on allegations of deficient cybersecurity measures to protect consumers against hackers. Based on various amendments through the years, a violation of the FTC Act has developed to require “substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition.” In its complaint, the FTC alleged Wyndham’s failure to implement proper safeguards was in violation of the FTC Act. The Third Circuit agreed with the FTC.
Also on this point, Wyndham took the position that the FTC failed to meet this requirement because a “business does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” The 3rd Circuit was not persuaded by Wyndham and opined that the second and third breaches were foreseeable to Wyndham after it suffered the first attack and, therefore, the FTC could survive Wyndham’s motion to dismiss.
Wyndham had Proper Notice of Cybersecurity Standards Required to Follow
Wyndham also argues that it did not receive proper notice that the FTC was interpreting the Act to include lax cybersecurity measures as a violation (“The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires”). In rejecting Wyndham’s argument, the 3rd Circuit framed the issue on appeal as follows:
…Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.
The 3rd Circuit held “[a]s a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not the agency’s interpretation of the statute.” Further, the 3rd Circuit found Wyndham’s argument that it “lacked notice of what specific cybersecurity practices are necessary to avoid liability” lacked merit when Wyndham had been attacked three times (“At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis”).
Implications of the Wyndham Decision
The FTC’s Chairwomen, Edith Ramirez, has already issued a statement concerning the Wyndham decision that “it is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Consequently, based on the reasoning of the Wyndham decision, corporations are going to have a difficulty taking the position that they were somehow unaware of the importance of cybersecurity. Further, now that the FTC is taking the lead in enforcing cybersecurity measures, U.S corporations should expect the FTC to provide clear guidance on what is expected to safeguard data.
This post originally appeared in Advisen’s Cyber Risk Network on August 25, 2015 (http://www.cyberrisknetwork.com/)