Third Circuit Upholds FTC’s Data Security Authority in FTC v. Wyndham
The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act. The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers. The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard. Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong. An analysis of the highlights of the Third Circuit’s opinion is available after the jump.
After the district court denied Wyndham’s motion to dismiss, the Third Circuit granted interlocutory appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the unfairness prong of its Section 5 authority, and (2) if the FTC has such authority, whether Wyndham received fair notice that its cybersecurity practices could fall short of this standard. On the first issue, the Third Circuit rejected Wyndham’s arguments that the FCRA, GLBA, and COPPA could be read to exclude cybersecurity from the reach of the FTC’s Section 5 authority. According to Wyndham, each of these statutes contains an explicit grant of authority over cybersecurity issues to the FTC — an addition that would be unnecessary if, as the FTC claimed, it has pre-existing authority over cybersecurity under Section 5. The Third Circuit rejected this argument, noting that the FCRA, GLBA, and COPPA each require the FTC to take specific actions, such as issuing regulations, that go above and beyond the bare requirements of Section 5. As such, none of these statutes contradict the position that the FTC has Section 5 authority over cybersecurity issues. The Third Circuit also rejected Wyndham’s contention that the FTC’s prior statements disclaimed regulatory authority over cybersecurity practices, finding that these statements acknowledged limitations in the FTC’s jurisdiction (such as the inability to regulate what data companies collect) that do not prevent the FTC from regulating cybersecurity practices.
Having concluded that the FTC’s Section 5 authority encompasses cybersecurity, the Third Circuit also rejected Wyndham’s argument that the FTC’s failure to provide “fair notice” of required cybersecurity practices under Section 5 violated the Due Process Clause. As part of this argument, Wyndham highlighted the alleged lack of any concrete guidance from the FTC as to what, exactly, constituted “unfair” cybersecurity practices, and claimed that the FTC failed to define the cybersecurity practices required under Section 5 with “ascertainable certainty.” However, the Third Circuit held that Wyndham’s preferred “ascertainable certainty” standard cannot apply if, as here, an agency has not issued a relevant “rule, adjudication, or document” that merits Chevron deference. Where no such deference is required, the court can only engage in the “ordinary judicial interpretation of a civil statute.” Under this standard, the Third Circuit held that Wyndham was not entitled to fair notice of the specific cybersecurity practices required by the FTC under Section 5. Instead, Wyndham was only entitled to fair notice of the general standard that is applicable to all unfairness actions (not just cybersecurity) under the plain text of Section 5.
Turning to the second part of the fair notice inquiry, the court held that Wyndham had fair notice that its alleged conduct could “fall within the meaning of” the text of Section 5. Although it acknowledged that the text of Section 5 is “far from precise,” the court held that the statute provided notice to companies that the “relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” Noting that Wyndham had been hacked three times, the court held that at a minimum, Wyndham was on notice after the second hack that a court could find that its cybersecurity practices failed the cost-benefit analysis under Section 5. The court also noted that the FTC has “counseled against many of the specific practices alleged here,” both in its informal guidance and its complaints and consent decrees raising unfairness claims based on inadequate cybersecurity practices. The court emphasized the presence of similar allegations in at least five of the FTC’s enforcement actions, including one enforcement action in 2006 against CardSystems Solutions that contained almost identical allegations. Even though many of these decisions alleged a collection of violations under Section 5 and did not specify which violations were necessary or sufficient for an unfairness finding, the Third Circuit held that these enforcement actions could help companies gauge the possibility of liability under Section 5.
In addition, the Third Circuit rejected Wyndham’s argument that it could not have acted unfairly when it was victimized by hackers, finding that Wyndham’s alleged conduct did not fall outside of the “plain meaning” of “unfair.” Notably, the Third Circuit held that an unfairness claim could be brought “on the basis of likely rather than actual injury.” Although Wyndham’s conduct may not have been “the most proximate cause of an injury” within the context of the data breaches it suffered, this distinction did not immunize Wyndham from liability for foreseeable harms arising from the breaches. While the FTC’s complaint did allege actual harm to consumers resulting from the Wyndham breaches in the form of over $10 million in fraudulent charges, this language could allow the FTC to continue bringing enforcement actions where no “actual” harm to consumers exists.