FTC v. Wyndham: The Litigation Goes On, But Other Lessons To Learn

Stephen Judge, Kathleen Rice
JD Supra Perspectives
Contact
LinkedIn
Facebook
X
Send
Embed

It’s fair to say that the opinion by the Third Circuit Court of Appeals in FTC v. Wyndham was a set-back for Wyndham, but for businesses it may be just the right wake-up call. For anyone hoping for a check on the Federal Trade Commission’s authority, the ruling clearly gave a boost to the FTC’s power to regulate cybersecurity under the Federal Trade Commission Act.

...the ruling clearly gave a boost to the FTC’s power to regulate cybersecurity under the Federal Trade Commission Act.

For years, the FTC has been bringing administrative actions against companies for allegedly deficient cybersecurity practices under the unfair or deceptive acts provision of the Federal Trade Commission Act. As of the FTC’s 2014 Privacy and Data Security Update, more than 50 cases had been brought against companies for allegedly putting consumers’ personal information at risk.

Among these cases is the FTC’s 2012 complaint against Wyndham Worldwide Corporation. The complaint followed three data breaches at Wyndham hotels in which hackers allegedly stole the personal and financial information of over 619,000 consumers, resulting in over $10 million dollars in fraud.  Wyndham has since fought claims that it engaged in unfair and deceptive practices in violation of § 45(a) of the FTC Act. In a motion to dismiss and on interlocutory appeal, Wyndham challenged the FTC’s interpretation that deficient cybersecurity can constitute an “unfair practice” under § 45(a) and argued that the FTC’s claims violate due process because Wyndham did not have “ascertainable certainty” of the applicable standards.

The Third Circuit sided squarely with the FTC on both issues. Upholding the FTC’s authority to regulate cybersecurity under the unfairness prong of § 45(a), it rejected Wyndham’s arguments that deficient cybersecurity falls outside of the plain meaning of “unfair” and that the FTC’s current position is inconsistent with either recent legislation granting tailored authority to the FTC or prior FTC statements regarding the limits of its cybersecurity authority. On Wyndham’s due process arguments, because Wyndham argued that the relevant question for the court is scope of § 45(a) itself, rather than the FTC’s own interpretation of the statute, the court applied a less rigorous standard.  Rather than “ascertainable certainty [of] the cybersecurity standards by which the FTC expected it to conform,” Wyndham was entitled only to “fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under § 45(a)”—a standard the Court found was easily met in light of the FTC’s allegations.

So now what?

The litigation continues, with Wyndham left to defend the reasonableness of its security practices and privacy policies. Of course, if the FTC’s allegations here are remotely accurate, this is likely to be an uphill battle. It is never a good sign when a court posits that a “company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

...what are the odds that a company would face repeated breaches resulting in millions of dollars in fraud and be made an example for others?  The reality in today’s cyber-threat environment is that it is more possible than ever.

But while the litigation goes on, there are clear lessons for how businesses should approach the whole subject of data security and privacy. It may be tempting to believe Wyndham’s experience is unique. After all, what are the odds that a company would face repeated breaches resulting in millions of dollars in fraud and be made an example for others? The reality in today’s cyber-threat environment is that it is more possible than ever. Data breaches may occur for many reasons—employee error, financial motivations, revenge, theft of intellectual property—and against any organization. Just ask Ashley Madison, OPM, and Sony. Every business must assess its own risk and determine the reasonableness of its data security practices and policies. This means proactive thinking, long before any incident, and in a way that involves not just security personnel, but management, counsel, and privacy officers.

The FTC’s complaint describes some of the basic security steps that Wyndham allegedly failed to take, including firewalls, better password security, restricted access, reasonable measures to detect and prevent unauthorized access, and incident response measures. The reasonableness of Wyndham’s security practices is for another day, but businesses would be wise to review the FTC’s allegations and see how their own security measures up. In one footnote regarding the fairness of expecting parties to review FTC filings for cybersecurity guidance, the FTC said as much:  “if you’re a careful general counsel you do pay attention to what the FTC is doing, and you do look at these things.”  Whether the courts will agree this is a reasonable expectation is unsettled, but with data breaches almost commonplace, it is likely to become standard practice.

...businesses would be wise to review the FTC’s allegations and see how their own security measures up.

Consider, though, that companies may also have to comply with state data security or breach notification laws, and be responsive to state regulators. Navigating this federal and state maze can make it difficult for companies to focus on proactive, rather than compliance-driven, measures, much less find the time to pay attention to every FTC filing. Congress could help here by passing a federal data breach notification law that clearly preempts state obligations.

It is worth remembering that the FTC also alleges that Wyndham’s privacy policy was deceptive. While the Third Circuit did not consider that claim, the FTC is clearly concerned with making sure that corporate privacy statements accurately reflect corporate practices. Do an internet search for privacy statements and you will likely find examples brimming with legalese and promises of security. Posting a detailed statement may reassure a business that it is saying the right things to protect consumer privacy, but if the statement does not reflect reality, the FTC will likely take quick notice.  

...if [a privacy] statement does not reflect reality, the FTC will likely take quick notice.

The Wyndham litigation underscores the importance of proactive, reasonable, and responsible data security measures, and follow-through. Of course, there’s always the gamble that your business may never experience a large-scale breach or an FTC enforcement action. But now that the FTC has judicial sanction to fully regulate in the cybersecurity space, and is clearly intent on doing so, is inaction really worth the risk?

*

[Kathleen Rice is an attorney in Faegre Baker Daniels’ intellectual property practice who provides strategic legal counsel to corporate and government entities on issues relating to data privacy, risk management, cybersecurity, and compliance with federal laws and regulations. Stephen Judge focuses his practice at Faegre Baker Daniels on complex litigation, including class actions and multidistrict litigation, and has significant experience in the areas of antitrust, health care and contract disputes. Follow their latest writings here and here.]
 

Written by:

JD Supra Perspectives
JD Supra Perspectives
Contact
more
less

JD Supra Perspectives on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide