Third Circuit Not Hospitable to Wyndham, Upholds FTC’s Broad Powers to Regulate Cybersecurity

Foley Hoag LLP - Security, Privacy and the Law
Contact

Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week, when the Third Circuit affirmed Judge Esther Salas’ refusal to dismiss the Federal Trade Commission’s lawsuit against Wyndham that alleged unfair and deceptive trade practices under 15 U.S.C. § 45(a).

As the Third Circuit noted, the FTC has brought administrative actions under § 45(a) against firms with allegedly deficient cybersecurity since 2005, most of which have ended in settlement. Wyndham, whose computer systems were hacked on three occasions in 2008 and 2009, did not settle, but rather advanced the argument that the FTC has consistently overstepped its statutory authority in using the FTC Act’s prohibition on “unfair or deceptive acts or practices in or affecting commerce” to sue firms whose cybersecurity leaves consumers vulnerable to hackers.

Across forty-seven pages, the Third Circuit vigorously disagreed with Wyndham, and embraced a broad conception of the FTC’s authority to regulate. The legal arguments are numerous and wide-ranging, but among them, Wyndham’s due process claim merits discussion as a reminder of the need to keep up to date with developments in cybersecurity and the FTC’s enforcement activities.

Wyndham argued that punishment pursuant to the FTC Act was unconstitutional because Wyndham lacked notice of what specific cybersecurity practices were needed to comply with the Act. The Third Circuit noted that the standard for what constitutes fair notice is “especially lax for civil statutes that regulate economic activities”; in such a circumstance, to be impermissible the relevant regulatory standard must be “so vague as to be no rule or standard at all.” CMR D.N. Corp. v. City of Philadelphia, 703 F.2d 612, 631-32 (3d Cir. 2013). The Court then pointed to 15 U.S.C. § 45(n), which empowers the FTC to declare unfair a practice that “causes or is likely to cause substantial injury to consumers which is not unreasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The Third Circuit acknowledged that § 45(n)’s balancing test is hardly a firm guide for companies wondering whether their conduct comports with the Act, but neither is it unconstitutionally vague: “under a due process analysis a company is not entitled to such precision as would eliminate all close calls […] Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Where should companies look for guidance, then? The Third Circuit’s answer: to the FTC’s “expert views about the characteristics of a sound data security plan,” in particular, its 2007 guidebook, Protecting Personal Information: A Guide for Business, as well as its ongoing complaints in administrative cases raising unfairness claims based on inadequate cybersecurity.

The Guide is, of course, only the tip of the FTC-guidance iceberg, which also features an informational website and regularly-updated blog. But even voluminous guidance materials cannot answer every question nor provide a checklist of measures that will succeed every time. (In cybersecurity, after all, the latter does not exist.) This is why companies need an individualized approach to cybersecurity, taking into account both advances in technology and trends in enforcement.

 

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.