Third Circuit Says FTC Can Regulate Data Security: Enforcement Suit Against Wyndham Affirmed

   Posted by Craig Carpenter, Mackenzie WallaceYesterday the Third Circuit affirmed the Federal Trade Commission’s authority to regulate companies’ data security practices and rejected Wyndham Worldwide Corporation’s argument that Congress had never intended for the Commission to be able to use its authority to police such practices.  The Third Circuit’s opinion can be found here.  This latest ruling in the closely-followed saga leaves the hotel chain on the hook for the hack that resulted in breach of card information for over 600,000 customers and over $10 million in fraudulent charges and  clears the way for the FTC to hold companies accountable for failures in data security policies and practices.    Background The FTC sued Wyndham in June 2012, alleging that the hotel chain failed to protect consumers whose private information was accessed by hackers who breached the company’s computer systems (previously blogged here).  The FTC claimed that Wyndham’s actions amounted to a violation of Section 5 of the FTC Act, which allows the Commission to police unfair and deceptive trade practices.  The hotel chain Wyndham challenged the FTC’s data protection and enforcement authority, arguing that the FTC had no authority to take action against Wyndham because the FTC has not published rules on what it requires from companies to protect against data breaches and therefore there was no clear “standard” for Wyndham to follow. As we discussed in our previous blog post on this suit (here), on April 7, 2014, the United States District Court for the District of New Jersey held that the FTC had the authority to bring enforcement actions against companies over allegedly lax data security practices, rejecting Wyndham’s motion to dismiss the case on the grounds that the FTC lacks data security enforcement power. The August 24, 2015 Opinion On August 24, 2015, in a unanimous opinion written by Judge Thomas Ambro for a three-judge panel, the Third Circuit affirmed the district court’s rulings, specifically holding that the FTC has authority to bring cybersecurity related actions on the basis that they are “unfair”; and holding that Wyndham had sufficient notice of the possible regulatory requirements based on the applicable standard.  The Third Circuit affirmed that the regulator has the authority under the unfairness prong of Section 5 of the FTC Act to bring lawsuits against companies over insufficient data security practices and that the agency does not have a duty to publish regulations detailing what constitutes “reasonable” data security standards. In response to the ruling, FTC Chairwoman Edith Ramirez released the following statement:  “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data.  It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Although the Third Circuit at oral argument questioned Congress’ intent in enacting the unfairness prong of Section 5, the Third Circuit unanimously found Wyndham’s argument unpersuasive, writing in its opinion that “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” The Third Circuit found that the relevant legal rule is not so vague to keep a company from performing a standard cost-benefit analysis of investing in stronger cybersecurity protections given the probability and expected size of reasonably unavoidable harms to consumers.  Takeaway The ruling was much-anticipated due to its potential implications for the regulatory liability exposures of companies that have been victims of data breaches, and it ensures that the Commission’s aggressive regulatory approach will not slow down at a time when Congress has not passed comprehensive data-security legislation.  However, while this court ruling validates the FTC’s authority to bring such claims, the court did not rule that the FTC was entitled to prevail on its claims.  The case will now go back to the district court for further proceedings based upon this ruling.  The effect of the Third Circuit’s ruling is that companies that experience a data breach will not only suffer consequences such as disruption, expense, adverse publicity, and civil suits from customers and shareholders, but also may find themselves the target of a regulatory enforcement action as well. However, this case does not do much to help companies identify the “standard” of data security that will help them avoid FTC scrutiny in the event of the inevitable breach. Wyndham got in to trouble because the FTC believed that its public-facing privacy policy overstated its data security practices and that its security practices were unreasonable—allegedly lacking in fairly standard security measures, including firewalls and encryption. But, what if Wyndham’s privacy policy was more vague? And, how much data security is enough? Neither Congress nor the FTC has definitively answered these questions, and we are far from a consensus; however, trends have started to develop and there is guidance available for companies. For example, Judge Ambro mentions in the opinion that the FTC’s Protecting Personal Information: A Guide for Business guidebook may be a good starting place for companies.  Going forward, it will be interesting to see how this ruling affects the FTC’s involvement in subsequent data security breaches. For example, it is easy to picture the FTC taking a closer look at the recent, high-profile Ashley Madison data breach in light of the Third Circuit’s affirmation of the Commission’s data security enforcement authority.