Third Circuit Finds that the FTC Has Authority to Sue Companies for Inadequate Cybersecurity Practices as an "Unfair" Practice
In addition to multi-party or class action lawsuits,1 companies that have their computer networks hacked may also be subject to investigations and enforcement actions by the Federal Trade Commission (“FTC”). This week the Third Circuit Court of Appeals decided in Federal Trade Commission v. Wyndham Worldwide Corp. that the FTC has authority to regulate the way companies safeguard personal information not simply for “deceptive” acts, but as an “unfair” business practice. This decision highlights the need for companies to familiarize themselves with the FTC’s guidance on cybersecurity measures.
Under Section 5 of the Federal Trade Commission Act (the “Act”), the FTC has authority to act against companies that have engaged in “unfair or deceptive acts or practices in or affecting commerce.” The Act codifies an unfair act as one that, “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n).
On appeal, Wyndham made several arguments, including: (1) an “unfair” practice required a finding that such practice was inequitable or characterized by injustice, partiality, or deception; (2) the FTC’s authority in the cybersecurity context was limited by “less-extensive” legislation such as the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act; (3) as a victim of its computer network being hacked, its practices could not be deemed “unfair”; and (4) that Wyndham did not have fair notice of the specific cybersecurity standards that the FTC expected it to follow.
In affirming the trial court’s decision that the FTC has authority to regulate companies’ cybersecurity practices, the Third Circuit rejected Wyndham’s arguments and held: that (1) the “unfair” prong of 45(a) does not require any deceptive acts or inequitable conduct; (2) cybersecurity practices could fall into the category of “unfair acts,” (3) there was no supporting authority for the notion that just because Wyndham was also a victim of cyber-attacks Wyndham could not be liable to the FTC, and (4) since it was foreseeable that Wyndham’s customers could be harmed by its failure to implement reasonable and appropriate cybersecurity practices, Wyndham was on notice that the FTC could bring an enforcement action.
Given the FTC’s authority to regulate cybersecurity practices, companies should strive to understand the FTC’s expectations as a regulator. The FTC’s website publishes complaints, settlements, and guidelines that are helpful. In particular, last month the FTC published “Start With Security, a Guide for Business,”2 which distills facts from more than 50 enforcement actions into ten lessons “that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.” Included in these guidelines are practices the FTC asserts are not reasonable and appropriate, with specific reference to the companies the FTC took action against for such practices.
One consumer advocacy group estimates that cyber-attacks caused more than $500 million in damages in 2014 alone. While federal legislation is still being developed, and a patchwork of legislation relating to data breaches still evolves,3 companies should be mindful of the FTC’s authority to regulate cybersecurity practices, implement reasonable and appropriate industry standards, and familiarize themselves with the FTC’s guidelines.