The Federal Trade Commission (FTC) can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act, the U.S. Court of Appeals for the Third Circuit has ruled in a very important case of first impression.

Following three data breaches at Wyndham hotels in less than two years, which resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards, the FTC filed a complaint in which it alleged that Wyndham had engaged in unfair and deceptive acts or practices in violation of Section 5 of the FTC Act. The FTC claimed that defendant’s data-security practices were “unfair” because they failed to include certain security protections and its privacy policy was “deceptive” because it misrepresented the extent of the defendant’s security measures.

In moving to dismiss the complaint, in addition to arguing that it had not engaged in unfair or deceptive acts or practices, the defendant argued that the FTC lacked authority to regulate its cybersecurity policies and procedures under the FTC Act, and that it did not receive fair notice of the standards the FTC expected it to follow. Following the district court’s denial of the defendant’s motion to dismiss, the Third Circuit granted the defendant’s application for an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”

The FTC Can Regulate Cybersecurity Practices as "Unfair" Acts or Practices

Having first decided that it was not persuaded by the arguments “that the alleged conduct falls outside the plain meaning of ‘unfair,’” the Third Circuit rejected the argument that the FTC did not have authority to regulate cybersecurity practices under Section 5. In particular, the Court disagreed with the contention that Congress would not have granted the FTC specific substantive authority regarding cybersecurity issues in the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Children’s Online Privacy Protection Act if the FTC already had regulatory authority over some cybersecurity issues. The Court also ruled that previous statements made by the FTC regarding its authority under Section 5 were not inconsistent with its use of Section 5 to bring “unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm.”

Fair Notice Was Provided

The Third Circuit also rejected the defendant’s argument that it was entitled to know with “ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.” It ruled that such argument was precluded by the defendant’s contention that there was no FTC Section 5 interpretation that merited deference and, as a result, federal courts must interpret Section 5 as it applies to the defendant’s conduct in the first instance.  

The Third Circuit found that, as a necessary consequence of the defendant’s contention that the court was interpreting Section 5, the defendant could only claim that it lacked fair notice of Section 5’s meaning. According to the Court, fair notice was satisfied “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Section 5 provides that for the FTC to declare an act or practice “unfair,” it must find that “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The Court read Section 5’s unfairness standard as one that “informs parties that the relevant inquiry here is a cost-benefit analysis.” In the Court’s view, and without making a substantive determination as to whether or not the defendant's alleged cybersecurity practices failed that analysis, the Court concluded that the defendant in this case had notice of the possibility its practices might not pass the cost-benefit analysis.

What Does This Mean for Me?

The Third Circuit decision underscores the importance of the following best practices:

• Companies should get back to work on assessing and mitigating information security risks. The FTC’s authority to regulate information security practices as potential unfair acts has been reinforced and it will continue its enforcement actions with renewed vigor.
• Companies should get to know, and closely follow, the FTC’s enforcement actions and publications including the recent “Start with Security” guide and amend their practices. If the FTC has already flagged certain actions as concerns, a company could be considered to be on notice that such actions may be deemed “unfair.”
• The cost-benefit analysis required by the court may lead to gray areas. Also, reasonableness standards change with time and technological advances. Something the FTC did not deem unfair in the past may be unfair today. Therefore, companies should work to comply with higher thresholds set forth by well-established general information security frameworks (including the NIST Framework, COBIT, ISO 27001 series) or specific industry standards and best practices (including PCI DSS, HITRUST CSF, etc.).
• Implementing a comprehensive, risk-based information security plan which assigns roles and responsibilities, accountability, employee training, and periodic monitoring is the best way to reduce the likelihood of a cybersecurity breach and to mitigate its scope.

Banks and other companies should also be aware of the realistic possibility that the Consumer Financial Protection Bureau may begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures of banks and other companies subject to its jurisdiction.