Third Circuit Finds that the FTC Has Authority to Sue Companies for Inadequate Cybersecurity Practices as an "Unfair" Practice
by Janet M. Johnson, natlawreview.com
September 6
In addition to multi-party or class action lawsuits,1 companies that have their computer networks hacked may also be subject to investigations and enforcement actions by the Federal Trade Commission ("FTC"). This week the Third Circuit Court of Appeals decided in Federal Trade Commission v. Wyndham Worldwide Corp. that the FTC has authority to regulate the way companies safeguard personal information not simply for "deceptive" acts, but as an "unfair" business practice. This decision highlights the need for companies to familiarize themselves with the FTC's guidance on cybersecurity measures.
In Wyndham, the FTC sued the international hotel chain after Wyndham's computer network was hacked on three different occasions in 2008 and 2009. Wyndham's customer privacy policy stated that, among other things, Wyndham safeguarded its customers' personal information "by using industry standards" and being "consistent with all applicable laws and regulations." Nevertheless, the personal information for hundreds of thousands of customers was stolen, including payment card information allegedly exported to a domain registered in Russia and used to incur over $10 million in fraudulent charges. The FTC filed suit in U.S. District Court claiming that Wyndham engaged in "unfair" and "deceptive" practices in violation of 15 U.S.C. § 45(a). Wyndham filed a motion to dismiss both the unfair and deceptive practice claims. The motion was denied, but the trial court certified its decision on the unfair practices claim for interlocutory appeal.
Under Section 5 of the Federal Trade Commission Act (the "Act"), the FTC has authority to act against companies that have engaged in "unfair or deceptive acts or practices in or affecting commerce." The Act codifies an unfair act as one that, "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." 15 U.S.C. § 45(n).
On appeal, Wyndham made several arguments, including: (1) an "unfair" practice required a finding that such practice was inequitable or characterized by injustice, partiality, or deception; (2) the FTC's authority in the cybersecurity context was limited by "less-extensive" legislation such as the Children's Online Privacy Protection Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act; (3) as a victim of its computer network being hacked, its practices could not be deemed "unfair"; and (4) that Wyndham did not have fair notice of the specific cybersecurity standards that the FTC expected it to follow.
In affirming the trial court's decision that the FTC has authority to regulate companies' cybersecurity practices, the Third Circuit rejected Wyndham's arguments and held: that (1) the "unfair" prong of 45(a) does not require any deceptive acts or inequitable conduct; (2) cybersecurity practices could fall into the category of "unfair acts," (3) there was no supporting authority for the notion that just because Wyndham was also a victim of cyber-attacks Wyndham could not be liable to the FTC, and (4) since it was foreseeable that Wyndham's customers could be harmed by its failure to implement reasonable and appropriate cybersecurity practices, Wyndham was on notice that the FTC could bring an enforcement action.
Given the FTC's authority to regulate cybersecurity practices, companies should strive to understand the FTC's expectations as a regulator. The FTC's website publishes complaints, settlements, and guidelines that are helpful. In particular, last month the FTC published "Start With Security, a Guide for Business,"2 which distills facts from more than 50 enforcement actions into ten lessons "that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose." Included in these guidelines are practices the FTC asserts are not reasonable and appropriate, with specific reference to the companies the FTC took action against for such practices.
Notably, it was Wyndham's alleged failure to implement reasonable and appropriate standards that contributed to the FTC's decision to file suit. The FTC alleges Wyndham didn't use a firewall, didn't change default passwords, didn't encrypt credit card information, didn't monitor its network for its customers' personal information, and did not limit third-party access to the company's networks and computers. Although not raised on appeal, the FTC asserted a deceptive practices claim against Wyndham in the trial court proceeding based on Wyndham's failure to comply with its own privacy policy. As a result of the Third Circuit's decision the trial court will move forward to consider the merits of all of the FTC's claims against Wyndham.
One consumer advocacy group estimates that cyber-attacks caused more than $500 million in damages in 2014 alone. While federal legislation is still being developed, and a patchwork of legislation relating to data breaches still evolves,3 companies should be mindful of the FTC's authority to regulate cybersecurity practices, implement reasonable and appropriate industry standards, and familiarize themselves with the FTC's guidelines.
Elyssa D. Durant
Research & Policy Analyst
Columbia University, New York
No comments:
Post a Comment