The US Court of Appeals for the Third District confirmed that the Federal Trade Commission (FTC), does have authority to bring an unfairness claim involving data security breach without formally issuing regulations before bringing such claims.
Background. As reported here, after several data breaches the FTC alleged that Wyndham “failed to provide reasonable and appropriate security for the personal information [it] collected”. It accused the hotel chain of having violated section 5 of the FTC Act prohibiting “unfair and deceptive acts or practices” and sought a permanent injunction to prevent future violations of the Act, as well as certain other reliefs.
On April 7, 2014, after the District Court denied Wyndham’s motion to dismiss, the Third Circuit granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45; and, if so, whether Wyndham had fair notice that its specific cybersecurity practices could fall short of that provision. The Third Circuit affirmed the District Court’s denial of dismissal.
As for FTC’s alleged lack of legislative authority to bring the action, Wyndham argued that the requirements of § 45 (n) (i) substantial injury not reasonably avoidable, ii) nor outweighed by its benefits, iii) acknowledging also the potential significance of public policy) “are necessary but insufficient conditions of an unfair practice”. “The plain meaning of the word “unfair” imposes independent requirements that are not met” by Wyndham’s conduct.
The Third District, like the District Court before, was “not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of “unfair”.
– On FTC’s authority: Defendant’s argument that if the FTC’s unfairness authority extended to its conduct, then the FTC also had the authority to “regulate the locks on hotel room doors,… to require every store in the land to post an armed guard at the door, (…) and to sue supermarkets that are “sloppy about sweeping up banana peels” was quickly rejected. The Third Circuit found Wyndham’s reductio ad absurdum alarmist, and it sharply replied that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall [the number of hotel guests interested by the breaches] hardly suggests it should be immune from liability under § 45”.
– On fair notice: The Third Circuit rejected also Wyndham’s second argument that it did not receive fair notice of FTC’s cybersecurity guidelines for commencement of proceedings. To this regard, Wyndham argued that “the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow”. However, the Third Circuit pointed out that – for purposes of this motion – it was interpreting the FTC Act (as the District Court did). Therefore, “Wyndham is only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute”.
To this end, the Court concluded that Wyndham’s fair notice challenge failed. Among other considerations, it highlighted how the FTC alleged that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all. This – the court noted – may have lead the company, hacked three times, to be aware “of the possibility that a court could find that its practices fail the cost-benefit analysis”.
For more information, Francesca Giannoni-Crystal
Interesting article on Wyndham, making the point that the Third Circuit decision is also important because it lists defenses that organizations should develop to defeat FTC allegations that their cyber-security practices are “unfair.