Aug 262015

Third Circuit Affirms FTC Authority to Regulate Cybersecurity

Edward R. McNicholas, Christopher Eiswerth, William Blumenthal, Clayton G. Northouse and Alan Charles Raul
, , , ,

On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.

The FTC stated that the Third Circuit decision was an affirmation of its authority to regulate privacy and cybersecurity. The decision, remarked FTC Chairwoman Edith Ramirez, “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The Third Circuit’s decision reminds all companies that the FTC may enforce its understanding of privacy and cybersecurity as expressed in prior guidance and enforcement actions. In light of this anticipated decision, companies should examine their privacy and cybersecurity practices to ensure they are consistent with industry standards, FTC guidance, and FTC enforcement precedent.

FTC’s Allegations

In June 2012, the FTC filed suit against Wyndham relating to its alleged inadequate cybersecurity precautions and deceptive practices. The FTC alleged that, on three occasions, hackers exploited the weaknesses in Wyndham’s computer systems and, in total, stole the personal and financial information of over 600,000 consumers, leading to $10.6 million in fraudulent charges.

“[T]aken together,” the FTC alleged that Wyndham’s practices “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The FTC faulted Wyndham for the following alleged “unfair” practices:

  • storing payment card information in clear readable text;
  • allowing the use of easy-to-guess passwords;
  • failing to use firewalls and other “readily available security measures”;
  • failing to maintain an inventory of its computers;
  • allowing hotel property management systems to connect to its network without security precautions;
  • failing to restrict access by third party vendors; failed to employ measures to detect and prevent unauthorized access; and
  • not following proper incident response procedures.

The FTC alleged that consumers suffered “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit” and that consumers “expended time and money resolving fraudulent charges and mitigating subsequent harm.” The FTC also alleged that Wyndham engaged in deceptive practices based on statements made in its privacy policy, although this issue was not before the Third Circuit.

Wyndham filed a motion before the district court to dismiss the FTC’s claims. Wyndham argued that, among other things, the FTC’s regulation of cybersecurity practices exceeded its authority under the FTC Act and that Wyndham lacked fair notice of the specific cybersecurity practices that the FTC argued were required. The district court denied the motion but certified its decision on the unfairness claim for appeal to the Third Circuit.

FTC Unfairness Authority

The Third Circuit’s decision affirmed the FTC’s authority regulate cybersecurity and privacy under the unfairness prong of the FTC Act. Section 5 of the FTC Act provides that the FTC has the authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). The “unfairness prong” of the FTC Act, as it has become known, was further qualified by Congress in 1994, when it provided that the FTC “shall have no authority” to declare an act or practice unfair unless it meets three requirements: “[1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” Id. § 45(n).

The FTC’s regulation of cybersecurity under the unfairness prong dates back to 2005. Instead of prescribing that certain cybersecurity practices were required, the FTC has brought a series of cases to determine which practices are required and which ones collectively constitute  “reasonable and appropriate [cybersecurity] measures.” The vast majority of these cases have settled. Wyndham, however, was the first to challenge the FTC’s authority to wield such authority.

Wyndham argued that the FTC’s unfairness authority under Section 5 did not authorize the regulation of cybersecurity practices. Specifically, Wyndham contended that Section 5’s three requirements are necessary but not sufficient. While not holding to the contrary, the Third Circuit found Wyndham’s proposed additional conditions unpersuasive. Specifically, although recognizing that public policy concerns may be relevant, the court rejected Wyndham’s claim that unfair conduct must be “unscrupulous” or “unethical,” stating that such an interpretation was rejected by the Supreme Court. It also rejected Wyndham’s argument that the FTC had not established that Wyndham’s actions were “not equitable” or “marked by injustice.” The court noted that a “company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial injury, and retains the profits of their business.” Acknowledging that this blends the concepts of deception and unfairness, the court noted that such claims “frequently overlap.”

The court also rejected Wyndham’s argument that it could not have been deemed to engage in unfair practices when it was the victim of attack. Invoking principles of tort law, the Third Circuit stated that the determining factor under Section 5 was not whether the company’s conduct was “the most proximate cause of the injury,” but rather whether the cybersecurity intrusions were foreseeable given Wyndham’s conduct. This, the Third Circuit stated, Wyndham “for good reason” did not dispute.

Wyndham also argued that Congress’s tailored grants of authority under the Fair Credit Reporting Act, Gramm-Leach-Bliley, and the Children’s Online Privacy Protection Act would make no sense if the FTC already had plenary authority under Section 5 of the FTC Act. The Third Circuit explained that none of these acts of Congress were inexplicable in light of Section 5. Indeed, unlike the FTC Act, each of these acts required the FTC to enact regulations on specific areas of cybersecurity and privacy and, at the same time, expanded the FTC’s authority in these areas.

In short, the Third Circuit did not limit or impose additional requirements for the FTC to exercise its unfairness authority. Rather, the court considered the three-part test of Section 5 and rejected Wyndham’s various attempts to argue that the statute required a greater showing. The three requirements “may be necessary rather than sufficient conditions of an unfair practice,” held the court, “but we are not persuaded that any other requirements proposed by Wyndham pose a serious challenge to the FTC’s claim here.”

Fair Notice

The Third Circuit also rejected Wyndham’s claim that it was entitled to know with “ascertainable certainty” what specific cybersecurity practices were required by Section 5’s general prohibition of unfairness. The court did not construe Wyndham to have challenged any existing agency interpretation of Section 5, but only whether Section 5 itself provided adequate notice that its cybersecurity practices could be deemed unfair. Under the Third Circuit’s opinion, fair notice, in this context, is satisfied so long as the company could “reasonably foresee” that its conduct could fall within the meaning of the statute.

The Third Circuit stated that it had “little trouble” rejecting Wyndham’s claim. It construed Wyndham’s claim as an “as-applied” challenge that it lacked notice of the specific cybersecurity practices alleged by the FTC to be unfair. The court stated that Wyndham could not have known that its failure to “use any firewall at critical network points”; “use any encryption for certain customer files”; and “not require some users to change their default or factory-setting passwords at all” would not be deemed “unfair” under Section 5. Wyndham’s challenge, noted the court, was even weaker because it was hacked multiple times. Further, FTC guidance and prior enforcement actions notified Wyndham that such specific practices were required.

The Third Circuit pointed to an FTC “guidebook” on how to protect personal information. And the court relied on similar FTC enforcement actions to demonstrate that companies should have been on notice that specific cybersecurity practices (like those engaged in by Wyndham) were unlawful and in violation of Section 5’s prohibition against unfair acts and practices.

With regard to possible limitations constraining future FTC enforcement actions under its Section 5 “unfairness” authority, the agency will need to consider at least:

  • whether the purported violation of the statute was “reasonably foreseeable” by the defendant (in order to provide the requisite “fair notice”);
  • whether the  Commission’s prior actions or existing public policies would have put the defendant on notice that its conduct could fall within the meaning of Section 5 “unfairness”;
  • whether a court construing the statute (in the absence of an FTC rule or other action entitled to Chevron deference) would find the agency’s theory of violation to be “the best or most reasonable interpretation,” as opposed to merely one possible reasonable interpretation;
  • whether any constitutional rights are implicated, such as the defendant’s right to communicate with its customers (because, in such case, the defendant would be entitled to more robust notice of the required standards);
  • whether the defendant committed any inequitable or unjust actions, in addition to failing the cost-benefit calculus of Section 5(n), which requires a finding that the challenged practice causes (or is likely to cause) substantial injury that is not reasonably avoided by consumers, and that is not outweighed by countervailing benefits to consumer or competition.

Conclusion

The Third Circuit’s decision in Federal Trade Commission v. Wyndham Worldwide Corp. will likely serve as an important guidepost for the FTC’s exercise of authority over issues of cybersecurity and privacy. Over the prior ten years, the FTC has exercised vigorous oversight of privacy and cybersecurity practices in the private sector and may interpret this decision as an affirmation of such regulatory endeavors going forward.

Edward R. McNicholas

emcnicholas@sidley.com

Christopher Eiswerth

ceiswerth@sidley.com

William Blumenthal

Washington, D.C.

wblumenthal@sidley.com

Clayton G. Northouse

cnorthouse@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.