November 29, 2022

Volume XII, Number 333


November 28, 2022

Subscribe to Latest Legal News and Analysis

Third Circuit Decides the FTC Will Be the Primary Authority on Data Breach and Privacy

In FTC v. Wyndham Worldwide Corporation, et al.,1 the United States Court of Appeals for the Third Circuit held that the Federal Trade Commission (“FTC”) has the authority over “unfair or deceptive” cybersecurity practices under Section 5 of the Federal Trade Commission Act (“Act”). This case will have important implications for any business or person that solicits, accepts and stores private, personal and financial information.

On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation’s (“Wyndham”) computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers, leading to over $10.6 million in fraudulent charges. The FTC filed suit in federal District Court alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. More specifically, the FTC alleged that Wyndham:

  • failed to use “readily available security measures,” such as firewalls;

  • stored credit card information in clear, readable text;

  • failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;

  • failed to address known security vulnerabilities on servers or follow “proper incident response procedures.” The hackers used similar methods in each attack; and

  • allowed use of default non-complex user names and passwords for access to servers.

The District Court denied Wyndham’s motion to dismiss the FTC’s complaint, and the appeals court granted interlocutory appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of §5; and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”

The Third Circuit considered the FTC’s regulatory authority under §5 of the Act, and specifically, the prohibition of “unfair methods of competition in commerce.” To justify a finding of unfairness, a consumer injury must (i) be substantial, (ii) not be outweighed by any countervailing benefits to consumers or competition that the practice produces and (iii) be an injury that consumers themselves could not reasonably have avoided. The Third Circuit determined: 

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business… and [c]onsumers could not reasonably avoid injury by booking with another hotel because Wyndham had published a misleading privacy policy that overstated its cybersecurity. (Emphasis added).

What’s more, the court found no subsequent congressional action that could somehow exclude cybersecurity from §5’s meaning. Accordingly, the unfairness requirements were satisfied by allegations in the FTC’s complaint.

The appeals court next considered whether Wyndham had fair notice that its specific cybersecurity practices could fall short of the unfairness provision of the Act. The fair notice doctrine of the Due Process Clause of the United States Constitution extends to civil cases, although a different set of considerations is implicated when agencies are involved in statutory or regulatory interpretation. Private parties are entitled to know with “ascertainable certainty” an agency’s interpretation of its regulation, and courts are to give some deference to an agency’s interpretation. Thus, Wyndham argued that it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by §5. The appeals court rejected Wyndham’s argument because, it noted, and Wyndham had apparently repeatedly argued, there is no FTC rule or adjudication about cybersecurity that merits deference. Consequently, Wyndham was only entitled to notice of the meaning of the statute and not to ascertainable certainty of the agency’s interpretation of the statute.

Wyndham will now face suit in district court for the cybersecurity breach of its customers’ personal and financial information, facing the prospect of financial damages and more intrusively remedial action to cure the deficiencies stated in the allegations in the complaint (see above). Unfortunately for other businesses, while they know the FTC has the power to pursue them for practices that may be considered to be unfair, they still do not have guidance as to what those practices may be other than the general, unsystematic pronouncements of the FTC and the various complaints that it has filed against others. As the Third Circuit observed, the FTC has no comprehensive rule regarding privacy policies. We recommend, in light of this uncertainty, that businesses review their current policies to ensure that they are, in fact, doing what they say they are doing. In addition, the FTC has just issued guidance on data security, and so any policy should take into account that guidance. Interestingly, it deals with the substance of data security as opposed to the issue of disclosure, raising the question of whether, if a policy accurately states what a business is doing in fact but its practices are inadequate, it nonetheless can be found to be engaged in an unfair practice.

1. Slip op. 14-3514, August 24, 2015.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume V, Number 261

About this Author

Jeff C. Dodd, Andrews Kurth Law Firm, Securities Attorney

Corporate, Securities and Corporate Finance: experience in diverse domestic and international corporate transactions, including representing issuers and underwriters (and investment bankers) in connection with public and private securities offerings (including IPOs and secondary offerings); representing venture capital and other investment groups or funds, as well as portfolio companies, in private debt and equity financing transactions; representing various participants (buyers, sellers, financing sources) in merger and acquisition and change of control transactions, public...

Sean S. Wooden, Intellectual Property Attorney, Andrews Kurth Law Firm

Sean’s practice focuses on advising clients on their intellectual property needs (including patents, copyrights, trademarks and trade secrets) and other areas of law related to technology. He develops, manages and exploits IP portfolios. Sean's practice involves the procurement of intellectual property rights such as patents, trademarks and trade secrets.

Sean has particular experience in building patent portfolios that may be sold for significant return on investment. He has recently helped to sell one client’s patent portfolio for greater than a 5x return on investment, and is...

Gerald "Gary" L. Lett, Andrews Kurth, Intellectual Property Attorney, Patent Litigation Lawyer,
Of Counsel

Gary is Of Counsel in the Intellectual Property section, after a lifetime of experiences spanning between a patent litigation partnership in a Washington firm to in-house counsel responsible for intellectual property matters for the Information Systems Division of Northrop Grumman Corporation. He has engaged in patent prosecution and litigation for clients in the software, telephone, television, radio, broadcast systems and entertainment devices. Gary has extensive knowledge of government contracts law including protection of private IP rights in government procurement,...

Lee Davis, Andrews Kurth Law Firm, Patent Attorney

Lee's practice focuses on intellectual property (IP) and technology and includes advice and counseling, procurement, licensing and acquisition, and litigation regarding all aspects of patents, trademarks, copyrights, and trade secrets. Lee is a registered patent attorney and has substantial experience preparing and prosecuting both domestic and foreign patent applications. He has technical experience in a variety of fields, including technology relating to downhole tools, drilling assemblies, drill bits, oilfield tubulars and premium threaded connections, coiled tubing, shaker...