Third Circuit’s Decision Gives FTC Bigger Byte!
By Amy Stewart Law
In August 2015, in the first appellate case of its kind, the U.S. Court of Appeals for the Third Circuit released its opinion in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514, Aug. 24, 2015 (PDF at the bottom), holding that the FTC has the authority to assert watchdog claims against private companies under the “unfairness” provision of the Federal Trade Commission Act for failure to implement cybersecurity safeguards, resulting in a data breach.
In 2012, the FTC brought an enforcement action against Wyndham under 15 U.S.C. § 45(a) for failing to protect consumer data after Russian hackers breached Wyndham’s computer systems (three times), and stole credit card information of more than 600,000 accounts. The FTC alleged that Wyndham’s failure to implement adequate security measures was “unfair” within the meaning of the Act, causing “substantial harm” to consumers in the form of more than $10.6 million in fraudulent credit card claims.
Among other things, the FTC alleged Wyndham:
- Stored credit card information in clear, readable text
- Implemented inadequate password protection controls
- Failed to use firewalls
- Maintained overly permissive networking protocols
- Used default user IDs and passwords
- Allowed easy access to networks and servers for third party vendors
- Failed to maintain an inventory of computers with access to its network
- Failed to conduct security investigations
- Failed to institute appropriate incident response protocols
- Nade express representations to its customers on its website that Wyndham took the safety of its customer’s privacy very seriously
Wyndham filed a motion to dismiss the FTC’s claim on the basis the FTC lacked authority to regulate cybersecurity under 15 U.S.C. § 45(n). Wyndham also complained the FTC had not provided notice of the security measures it sought to enforce.
The district court denied the motion, but certified two questions to the Third Circuit by interlocutory appeal: (1) whether the FTC has the authority under the “unfairness provision” of the Act to pursue claims for the failure to implement adequate cybersecurity safeguards; and (2) whether Wyndham had notice that its policies and procedures could be declared “unfair” under the Act.
The Third Circuit affirmed the district court’s ruling, concluding the FTC had the ability to enforce the unfairness provision of the Act where the protection of public interest outweighs other concerns.
The court rejected Wyndham’s argument that the passage of more recent industry-specific statutes like the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act indicated Congress did not intend for the FTC to regulate cybersecurity, holding that the unfairness provision did not render the passage of more recent legislation “inexplicable.”
The court similarly dismissed Wyndham’s argument that allowing the FTC to regulate cybersecurity was tantamount to giving the FTC “the authority to ‘regulate the locks on hotel room doors, to require every store in the land to post an armed guard at the door, and to sue supermarkets that are sloppy about sweeping up banana peels’”. The court held: “[t]he argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”
The court further concluded Wyndham had adequate notice that its conduct might give rise to liability. The court held that Wyndham was not entitled to the same type of notice as might be afforded under a criminal statute, because the court was interpreting the Act rather than the FTC’s own interpretation of the Act, or a regulation implementing the Act. According to the court, Wyndham was entitled only to “fair notice of what the statute itself requires”, not “ascertainable certainty” of “the FTC’s interpretation of the statute.”
The court noted Wyndham had been put on notice of the statutory requirements in a number of different ways. Wyndham was “hacked not one or two, but three times.” “At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.” Wyndham could have, for instance, noted the court, “read the FTC’s book ‘Protecting Personal Information: A Guide for Business’, which establishes a ‘checklist’ of practices that form a ‘sound data security plan.’”
The court’s opinion opens the door for the FTC to unilaterally bring consumer protection enforcement claims for a company’s failure to implement safeguards to protect its customer’s personally identifiable information. The decision may also herald more collaboration between the FTC and other governmental agencies with limited oversight over privacy issues and no independent authority to act. In other words, the FTC may become the enforcement arm of other governmental agencies for the protection of consumer privacy.
Mitigation of Risk
For businesses, the FTC’s ability to enforce the recent industry-specific “guidelines” and “best practices” (such as those issued by the Securities and Exchange Commission and the Department of Energy) under the “unfairness provision” of the Act means the implementation of proper cybersecurity protocol should be a top priority in order to avoid the assessment of penalties and fines. The FTC guidelines, as well as industry-specific protocols, should be reviewed and followed where possible.
Companies must also make sure they are adequately insured for an FTC claim. While some D&O, E&O, and technology policies provide coverage for regulatory proceedings, the limits of liability may be capped (at a very low amount) and, in some cases, coverage is excluded unless specifically purchased. Dust off your policy and take a look. The risk of regulatory liability should be assessed right alongside the company’s risk of legal liability and accordingly insured.