KMK Law Cybersecurity & Privacy Blog

In a case that will have significant ramifications for the legal landscape relating to cybersecurity, the Third Circuit Court of Appeals affirmed a lower court’s decision that the Federal Trade Commission (FTC) had the authority to regulate companies’ data security practices.

The case—FTC v. Wyndham Worldwide Corporation—stemmed from three separate cyber attacks in 2008 and 2009, where hackers successfully accessed Wyndham’s computer systems to steal personal and financial information for hundreds of thousands of Wyndham customers. Hackers used this information to make over $10.6 million in fraudulent charges.

Based on these events, the FTC filed an administrative action against Wyndham under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Specifically, the FTC alleged that (1) the security breaches, giving access to Wyndham’s customer and personal information, constituted unfair business practices; and (2) Wyndham made deceptive representations to consumers that it used reasonable and appropriate cybersecurity measures to protect such data.

Wyndham moved to dismiss the action and challenged the FTC’s authority on two grounds. First, Wyndham argued that other laws passed by Congress—e.g., the Fair Credit Reporting Act and Gramm-Leach-Bliley Act—effectively limited the FTC’s authority to regulate data security issues. Second, Wyndham argued that the FTC failed to promulgate sufficiently clear regulations in violation of the due process clause. The district court denied Wyndham’s motion to dismiss in its entirety.

The Third Circuit affirmed the district court’s ruling. In so doing, the Third Circuit made clear that a company’s lax cybersecurity policies can be deemed “unfair acts or practices affecting commerce” under the Federal Trade Commission Act and the FTC has regulatory authority over such corporate cybersecurity issues.

For businesses trying to implement cybersecurity measures and understand how inadequate security can lead to bigger problems down the road, the most important aspect of the decision is that the Third Circuit rejected Wyndham’s argument that the FTC had not promulgated sufficiently clear regulations so that Wyndham would have notice of what specific cybersecurity practices are necessary to avoid liability. 

The Third Circuit noted that in 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Business, which describes a checklist of practices that the FTC believed form a sound data security plan. The guidebook did not state that any particular practice was required, but it did counsel against many of the specific practices alleged against Wyndham. For instance, the FTC’s complaint did not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, the FTC complaint alleged that Wyndham failed to use any firewalls at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all. 

The Third Circuit also pointed out that before the cyberattacks on Wyndham, the FTC had filed complaints and entered into consent decrees in other administrative actions raising unfairness claims based on inadequate corporate security. The FTC published these materials on its website and provided notice of proposed consent orders in the Federal Register. While it recognized that “it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees,” the Third Circuit noted that Wyndham never argued that it was unaware of these materials.

Thus, the lesson for businesses is clear—you must have some cybersecurity policies and procedures in place. And while the Third Circuit declined to specify what exactly is needed in terms of specific practices and scope, it indicated that a good starting point is the checklist of practices from the FTC’s 2007 publication, “Protecting Personal Information: A Guide for Business” and from the FTC’s previous complaints and consent decrees. The FTC has provided more recent guidance as well: “Protecting Personal Information: A Guide for Business” (November 2011) and “Start With Security: A Guide for Business” (June 2015).