As it is commonly understood, the Great Fire of London spawned two fixtures of the modern world: advancements in firefighting and property insurance.  The risk of fire was seen as a threat to society as a whole and mechanisms to mitigate that risk were naturally born.  Now, the world has ubiquitous measures to minimize the risk of fire.  However, in the modern era, we are facing a new fire: data breaches.  In the words of the Talking Heads “[h]old tight, we're in for nasty weather.“[1]

The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  15 U.S.C. § 45(a).  The FTC can now sue a business for unfair and deceptive trade practices if it is hacked.  On appeal from a denial of a motion to dismiss, in Federal Trade Commission v. Wyndham Worldwide Corporation, WL 4998121 (3rd Cir 2015), the Third Circuit Court of Appeals affirmed a district court decision finding that the Federal Trade Commission (“FTC”) has the authority to regulate cybersecurity.  Id. at 1.

Wyndham is simply an affirmance of a denial of a motion to dismiss.  The FTC stated a cause of action and may proceed and litigate the case.  The FTC is still required to prove that Wyndham’s practices at the time were unfair.

However, the Wyndham decision is important because it gives the FTC broad authority to police businesses that get hacked for having inadequate cybersecurity measures. The mainstream popularity of recent events such as the Sony and Ashley Madison data breaches, means that businesses are certainly more on notice of the possibility of data breaches now than when Wyndham was hacked in 2008 and 2009.  We are witnessing the modern day Great Fire of London unfold before our eyes.  

Background

In 2008 and 2009, hackers, on multiple occasions stole information regarding 619,000 of Wyndham’s customers from Wyndham’s computer system.   Id. at 3. This hack resulted in over $10.6 Million dollars in fraudulent charges to Wyndham customers.  Id. at 1.

Wyndham licensed its name to approximately 90 independent hotels.  Id.  The hotels utilized a payment processing system that they were required to purchase and configure.  This payment processing, property management system, stored personal information about customers such as credit card numbers, names and addresses.  Id.  Wyndham manages the system and operates a network that connects the Wyndham central database to the independent hotels. Id.

In 2012, the FTC filed suit alleging, inter alia,  that 1) Wyndham allowed the independent hotels to store credit card information in clear readable text; 2) Wyndham allowed the use of easily guessed passwords to its property management system; 3) Wyndham did not use security measures such firewalls to prevent access between the property management system, corporate network, and the internet; 4) Wyndham did not ensure that the hotels had adequate information security measures; 5) Wyndham did not adequately restrict access of third party vendors to its network or to the servers of its branded hotels; 6) Wyndham failed to implement adequate measures to detect and prevent unauthorized access or to conduct cybersecurity investigations; and 7) Wyndham did not follow proper incident response procedures – the hackers used similar methods in each attack[2]Id. at 1-2.

The  FTC is allowed to pursue Wyndham under the unfairness prong of  15 U.S.C. § 45(a).  

The overall theme of Wyhdham’s argument was that mere negligence is not enough to trigger “unfairness” under the FTC Act.  The court, however, found that unfairness is a “flexible concept with evolving content.”  Id. at  3.  Additionally, the concept of unfairness does not require unscrupulous or unethical behavior.  Id. at 5. 

Wyndham argued that it did not treat customers in an unfair manner because Wyndham itself was victimized by criminals.  However, the court found “[t]hat a company’s conduct was not the most proximate cause of injury does not immunize liability from foreseeable harms.” Id. at 6.

Wyndham further argued that if the FTC’s unfairness authority extends to Wyndham that it also requires “every store in the land to post an armed guard at the door.” This reasoning was cleverly rebuked by that court, stating “If Wyndham were a supermarket leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”  Id. at 7.

Congressional Action regarding cybersecurity after the 1938 Amendment of § 45(a) did not prove that the FTC lacked authority to regulate Cybersecurity.

Wyndham also argued that because congress enacted legislation directed at the FTC regarding data regulation after the 1938 amendment of § 45(a), the FTC did not have power, naturally, under § 45(a) to deal with cybersecurity.   Specifically, the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act ordered the FTC to regulate cybersecurity in various ways.  Id. at 7.

The Court disagreed with Wyndham, noting that the acts cited by Wyndham required the FTC to regulate certain aspects of cybersecurity.  The fact that congress required the FTC to act, the court reasoned, does not mean that the FTC did not have the authority to voluntarily act. Id. at 8.

Further, Wyndham noted that in 1998 and 2000, the FTC stated that it cannot require companies to adopt fair information practices. Id. at 9.   However, the court found the FTC’s act of bringing “unfairness actions against companies whose inadequate security resulted in consumer harm is not inconsistent with the agency’s earlier position.” Id. at 9.

Wyndham was given fair notice.

Wyndham argued that it had no fair notice of the cybersecurity standards it was required to follow.  Id. The fair notice doctrine, although primarily a criminal concept, extends to civil cases, particularly where a penalty is imposed.  Id.  The court noted that the standards for fair notice are especially lax for civil statutes that regulate economic activity. Id. at 10.  Wyndham argued that it was entitled to “ascertainable certainty” of the FTC’s interpretation of what cybersecurity practices are required by § 45(a).   The court concluded that Wyndham was not entitled to ascertainable certainty of the FTC’s interpretation of § 45(a)Id. at 13.

Rather, the issue was whether Wyndham had fair notice of the meaning of the statute, not the agency’s interpretation of the statute.   Id. The court explained that § 45(n) basically sets forth a cost benefit analysis.  Id. In the language of the statute, the issue is whether Wyndham’s cybersecurity practices “cause[d] substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Id.

The court found that Wyndham’s challenge failed because the FTC alleged that certain security measures (such as firewalls, ip address restrictions, encryption software, and passwords) were missing completely from Wyndham’s security scheme.  In short the allegations were that certain security measures did not exist at all, not that the measures were not good enoughId. at 14.  The court also noted that Wyndham was hacked three times and that, at least after the second hack, Wyndham was on notice that a court could find its cybersecurity measures fail the § 45(n) cost benefit analysis[3].

In a practical sense, what does this mean?

In addition to consumer lawsuits for data breaches, a business may face actions from governmental agencies such as the FTC and state attorney generals copying the FTC and acting under state law deceptive and unfair trade practices law. 

Whether the FTC will actually prevail on the merits in Wyndham is yet to be determined.  However, the Wyndham caseshould be taken as a warning that businesses need state of the art cybersecurity measures.  While even the best systems can be breached, a business should be in the position of  defending breach related litigation with strong measures rather than being forced to explain why it had weak (or no) measures. 

A business should not get hacked multiple times via the same vulnerability.  After the first time (or according to the Third Circuit, certainly the second time), the business should be on notice.  Make every effort after a breach to discover the vulnerability and patch it.

When breaches occur, businesses need “firefighters.”  Make a plan for data breach as you would plan and prepare for any other disaster.

Businesses must deliver on their stated privacy and security promises.  If a business advertises that it has certain security measures and does not actually use those measures, this is an easy way to become a target because, at that point, the business is not merely negligent; there is also a colorable argument that it is deceptive.

Finally, because almost all businesses handle electronic data, all businesses, and their officers and directors, should be properly insured against both cyber-risk and government investigations.  Not doing so would be as imprudent as not having insurance against fire.


[1] Talking Heads. Burning Down the House. 1983.

[2] Although not an issue on appeal, the government also accused Wyndham of overstating its cybersecurity measures in a published privacy notice.  Id. at 2.

[3]The court also noted that the FTC issued a guidebook in 2007 with a checklist of data security practices.

×