March 29, 2020

March 29, 2020

Subscribe to Latest Legal News and Analysis

March 28, 2020

Subscribe to Latest Legal News and Analysis

March 27, 2020

Subscribe to Latest Legal News and Analysis

March 26, 2020

Subscribe to Latest Legal News and Analysis

Third Circuit Sides with FTC in Data Security Dispute with Wyndham

The US Court of Appeals for the Third Circuit recently issued a ruling in favor of the Federal Trade Commission (FTC) in FTC v. Wyndham Worldwide Corporation in which the court found that the FTC has the authority to regulate cybersecurity under the unfairness prong of the FTC Act.

On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation’s computer systems and stole personal and financial information relating to hundreds of thousands of consumers. The FTC filed suit against Wyndham in federal district court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. Wyndham argued that the FTC did not have the authority to regulate cybersecurity under the unfairness prong of §45(a) and that it did not have fair notice that its specific cybersecurity practices could fall short of that provision.

The FTC Act prohibits unfair methods of competition in commerce. The court stated that under the amendments to the act, the FTC could deem a practice unfair “if the practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The court then went on to state that “a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Regarding Wyndham’s fair notice argument, the court concluded that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity standards are required by §45(a). Instead, the relevant question was whether Wyndham had fair notice that its conduct could fall within the fair meaning of the statute. The Third Circuit rejected Wyndham’s fair notice challenge, stating that the relevant rule is not so vague as to be no rule or standard at all. Further, the court stated that in 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Businesses, which describes a checklist of practices that form a “sound data security plan.” The court stated that the guidebook could have helped Wyndham determine in advance that its conduct might not survive a standard cost-benefit analysis of investing in stronger cybersecurity protections given the probability and the size of harm to customers.

Although the FTC has been bringing administrative actions under §45(a) against companies with allegedly deficient cybersecurity standards since 2005, the vast majority of such cases ended in settlements and consent orders. The Third Circuit notes that, although the consent orders focus on prospective conduct and are “of little use” in understanding the specific requirements of §45(a), the FTC’s complaints in these actions paint a picture of security practices that the FTC deems violative of the statute.

The case further highlights the need for companies to take care in crafting the terms of their privacy policies to ensure that the promises made in such policies are reasonably complete and accurate. Although the Third Circuit did not directly analyze the FTC’s deceptive practices claim, the opinion states that facts relevant to unfairness and deception claims frequently overlap. Therefore, companies must be careful that their privacy policies are not deceptive. For example, if a company’s privacy policy states that the company safeguards personally identifiable information by using industry standard practices, then the company should be familiar with ever-evolving industry standard security practices, such as encryption, firewalls, and other commercially reasonable methods for protecting consumer information. Further, if the company collects personally identifiable information, it should keep abreast of any guidelines that the FTC issues about protecting such information and the latest security settlements and consent orders that the FTC posts on its website.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Rahul Kapoor, Intellectual property lawyer, Morgan Lewis

With a focus on commercial, intellectual property (IP), and technology transactions, Rahul Kapoor counsels clients on strategic alliances, joint ventures, and corporate partnering transactions in the technology and life science industries. He also handles standards body licensing structures, patent licensing, open source software strategy, e-commerce and privacy, supply and distribution agreements, consignment agreements, spinoffs and core technology licenses, and IT outsourcing transactions. Rahul is a member of the firm’s Advisory Board, leader of the India initiative and co-leader of the technology initiative, and previously served as the firmwide hiring partner.

Shokoh H. Yaghoubi, Morgan Lewis, Intellectual property lawyer

Shokoh H. Yaghoubi counsels clients on intellectual property issues and strategy involved in mergers and acquisitions, initial public offerings, and financings. She represents clients in transactions relating to technology, including technology and content licensing, transfers of intellectual property rights, joint development and joint venture arrangements, and distribution and sales arrangements. She also advises on supply, service and outsourcing agreements, manufacturing and foundry relationships, and cross-border licensing and strategic alliances.