In a highly anticipated, precedential opinion released on August 24, 2015, the Third Circuit held that the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act and that Wyndham had fair notice of the meaning of that statute. The opinion is discussed in more detail below.

Background

According to the FTC, Wyndham was the victim of three separate hacks in 2008 and 2009:

• In the 2008 incident, hackers broke into a local network which was connected to Wyndham's network and the internet. The hackers then used brute force—repeatedly guessing at log-ins and passwords—to ultimately obtain payment information relating to over 500,000 accounts.
• In the second incident, hackers accessed Wyndham's network through an administrative account and obtained information for over 50,000 consumers. Wyndham discovered malware from the previous hack on more than 30 of its branded hotels' computer systems.
• In the third incident, hackers again accessed an administrative account to obtain payment information for about 69,000 customers.

The FTC alleges that, as a result of the three attacks, payment card information from over 619,000 consumers was compromised and $10.6 million in fraudulent charges were made.

The FTC's Complaint

In 2012, the FTC filed a civil suit against Wyndham, claiming that Wyndham engaged in "unfair" and "deceptive" practices in violation of § 45(a). Among other things, the FTC specifically alleged:

• Wyndham allowed Wyndham-branded hotels to store payment card information in clear readable text;
• Wyndham allowed the use of easily-guessed passwords;
• Wyndham failed to use "readily available security measures," like firewalls;
• Wyndham allowed hotel property management companies to connect to its network without taking appropriate cybersecurity precautions;
• Wyndham failed to "adequately restrict" the access of third party vendors to its network;
• Wyndham failed to employ "reasonable measures to detect and prevent unauthorized access" to its computer network or to "conduct security investigations"; and
• Wyndham did not follow "proper incident response procedures."

Wyndham responded to the suit by filing a Rule 12(b)(6) motion to dismiss the unfair practice and deceptive practice claims. The district court denied the motion, but certified its decision on the unfairness claim for interlocutory appeal.

Unfairness

Wyndham argued the alleged conduct fell outside the plain meaning of "unfair" set forth in § 45(a). Wyndham took the position that although the three requirements set forth in §45(n) are necessary to an unfairness claim, the plain meaning of the word "unfair" imposed additional requirements not met under the facts of the case. The Third Circuit rejected Wyndham's argument that conduct is only unfair when it injures consumers "through unscrupulous or unethical behavior." The Court also decided it made little difference whether the conduct at issue is "not equitable" or is "marked by injustice, partiality, or deception" because facts relating to unfairness and deception frequently overlap. It also dismissed out of hand the claim that "a business does not treat its customers in an 'unfair' manner when the business itself is victimized by criminals." Further, Wyndham's argument that if the FTC had authority to regulate cybersecurity it could also "regulate the locks on hotel room doors" and sue supermarkets that are "sloppy about sweeping up banana peels" was dismissed as "alarmist."

Wyndham also argued that subsequent congressional action including FACTA, Gramm-Leech-Biley, and COPPA established that the FTC did not have regulatory authority over cybersecurity because, if it did, those specific grants would not be necessary. The Third Circuit found this argument unavailing, because FACTA, Gramm-Leech-Bliley, and COPPA require (not just authorize) the FTC to issue regulations.

Fair Notice

Wyndham argued that it was entitled to "ascertainable certainty" of the FTC's interpretation of what specific cybersecurity practices § 45(a) requires. Wyndham had, however, taken the "unmistakable" position that the FTC had not yet declared that cybersecurity practices can be unfair. Accordingly, there was no FTC rule, adjudication, or document that would merit deference. Wyndham was only entitled to fair notice of what the statute requires, and was not entitled to fair notice of the FTC's interpretation of the statute.

Finally, the Third Circuit considered whether Wyndham had fair notice of the meaning of § 45(a). The Third Circuit reviewed Wyndham's fair notice claim as an as applied challenge. The Court found that the challenge fell "well short given the allegations in the FTC's complaint." Notably, the FTC had alleged that Wyndham failed to use any firewalls, did not restrict specific IP addresses, did not use any encryption, and did not require users to change default or factory-setting passwords at all. And Wyndham had been hacked three separate times. The Court's conclusion was also reinforced by the fact that the FTC had issued a guidebook about protecting personal information in 2007, and had filed numerous complaints and entered into consent decrees raising unfairness claims based on inadequate cybersecurity measures.

Take-Away

The Third Circuit has affirmed that the FTC Act is applicable to cybersecurity and its prohibitions against unfair practices can be used to address cybersecurity lapses. Given the increases in cybersecurity incidents, and this affirmation of the FTC's authority, it is more critical than ever that businesses plan to protect the information they collect and have incident response plans in place in the event that the data is compromised. It remains to be determined where the line will be drawn as to what measures are deemed adequate; the alleged conduct in this case was rather egregious and provides little guidance as to what might be required.