The United States Court of Appeals for the Third Circuit unanimously affirmed the Federal Trade Commission’s authority to bring legal action against companies that fail to employ reasonable cybersecurity measures to protect non-public consumer data.
Federal Trade Commission v. Wyndham Worldwide Corporation (No. 14-3514) was decided on August 24. The opinion and briefs are here.
Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)) gives the FTC authority to seek legal remedies against those who engage in “unfair or deceptive acts or practices affecting commerce.”
The agency has brought dozens of enforcement actions against companies alleging that their inadequate cybersecurity practices constitute unfair practices under Section 5. Until the Wyndham decision, however, it was not clear whether the FTC actually had the authority under Section 5 of the FTC Act to regulate inadequate cybersecurity practices as unfair acts or practices. The Third Circuit answered the question in the affirmative.
Among other things, the FTC alleged that the hackers had obtained payment card information from over 619,000 customers resulting in at least $10.6 million in fraud losses, and that Wyndham had failed to improve its cybersecurity practices even after it had experienced the second breach.
Wyndham filed a motion to dismiss the lawsuit on the basis that the FTC lacked authority to regulate cybersecurity practices.
The district court denied Wyndham’s motion to dismiss and Wyndham appealed. The Third Circuit affirmed the district court’s decision to deny dismissal of the case, holding that the FTC does have authority to regulate cybersecurity practices and seek remedies from those whose cybersecurity practices are inadequate.
More often, companies charged with violations settle with the FTC by agreeing to implement better security measures and agreeing to be subject to outside monitoring.
The Third Circuit confirmed that lax cybersecurity measures may constitute unfair practices under the FTC Act and that the FTC has the authority to sue violators.
* * *
The potential liability for engaging in unfair or deceptive practices under the FTC Act is substantial. The FTC can seek three types of remedies in court: (i) civil penalties of up to $16,000 per violation of an FTC regulation, (ii) recovery of losses suffered by consumers, and (iii) injunctive relief that enables the FTC to freeze assets, rescind contracts and impose temporary receivers on violators.
Wyndham had argued that the FTC’s failure to provide it with notice as to the specific security measures it considered reasonable and unreasonable made the FTC’s enforcement action unconstitutional as a violation of due process. The court rejected that argument and, perhaps significantly for future cases, appears to have agreed with the FTC that preexisting industry guidelines, a published FTC guidebook and the complaints filed in previous FTC enforcement actions serve to give companies ample notice as to what constitutes reasonable security programs.
The FTC’s allegations of wrongdoing against Wyndham serve as a warning to every company that collects personal information from consumers.
Those allegations included:
(i) allowing the use of easily guessed passwords,
(ii) failing to use readily available security measures, such as firewalls and encryption,
(iii) failing to employ reasonable measures to detect and prevent unauthorized access,
(iv) failure to follow proper incident response procedures, and
(v) failure to monitor its network for malware used in the previous intrusions into Wyndham’s systems.
The FTC expects companies collecting private consumer data to take reasonable measures to safeguard that data and avoid committing the same mistakes as those made by Wyndham.
Although the Third Circuit didn’t squarely address this issue (because Wyndham failed to raise it on appeal), the court did refer disapprovingly to Wyndham’s false representations. Those representations may be an additional basis for the district court to assess Wyndham’s liability if the case proceeds to a trial.
* * *
One take-away here is that companies should periodically review their privacy policies to confirm they accurately reflect their actual cybersecurity practices.
In the next post, I’ll describe how companies collecting personal information from consumers can minimize the risk of an enforcement action.
Daniel Appelman is a partner in the Menlo Park-bsed law firm of Montgomery & Hansen LLP. His practice focuses on complex technology-related transactions and strategic alliances. He’s a former chair of the California Bar’s Cyberspace Law Committee, vice chair of the American Bar Association’s Privacy and Information Protection Committee,former vice chair of the California Bar’s Business Law Section, and a member of the International Bar Association’s Technology Law Committee. He holds a JD from the UCLA School of Law and a Ph.D. in telecommunications law and public policy from Temple University. He can be contacted here.