The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act.  The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers.  The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard.  Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong.  An analysis of the highlights of the Third Circuit’s opinion is available after the jump.

After the district court denied Wyndham’s motion to dismiss, the Third Circuit granted interlocutory appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the unfairness prong of its Section 5 authority, and (2) if the FTC has such authority, whether Wyndham received fair notice that its cybersecurity practices could fall short of this standard.  On the first issue, the Third Circuit rejected Wyndham’s arguments that the FCRA, GLBA, and COPPA could be read to exclude cybersecurity from the reach of the FTC’s Section 5 authority.  According to Wyndham, each of these statutes contains an explicit grant of authority over cybersecurity issues to the FTC — an addition that would be unnecessary if, as the FTC claimed, it has pre-existing authority over cybersecurity under Section 5.  The Third Circuit rejected this argument, noting that the FCRA, GLBA, and COPPA each require the FTC to take specific actions, such as issuing regulations, that go above and beyond the bare requirements of Section 5.  As such, none of these statutes contradict the position that the FTC has Section 5 authority over cybersecurity issues.  The Third Circuit also rejected Wyndham’s contention that the FTC’s prior statements disclaimed regulatory authority over cybersecurity practices, finding that these statements acknowledged limitations in the FTC’s jurisdiction (such as the inability to regulate what data companies collect) that do not prevent the FTC from regulating cybersecurity practices.

Having concluded that the FTC’s Section 5 authority encompasses cybersecurity, the Third Circuit also rejected Wyndham’s argument that the FTC’s failure to provide “fair notice” of required cybersecurity practices under Section 5 violated the Due Process Clause.  As part of this argument, Wyndham highlighted the alleged lack of any concrete guidance from the FTC as to what, exactly, constituted “unfair” cybersecurity practices, and claimed that the FTC failed to define the cybersecurity practices required under Section 5 with “ascertainable certainty.”  However, the Third Circuit held that Wyndham’s preferred “ascertainable certainty” standard cannot apply if, as here, an agency has not issued a relevant “rule, adjudication, or document” that merits Chevron deference.  Where no such deference is required, the court can only engage in the “ordinary judicial interpretation of a civil statute.”  Under this standard, the Third Circuit held that Wyndham was not entitled to fair notice of the specific cybersecurity practices required by the FTC under Section 5.  Instead, Wyndham was only entitled to fair notice of the general standard that is applicable to all unfairness actions (not just cybersecurity) under the plain text of Section 5.

Turning to the second part of the fair notice inquiry, the court held that Wyndham had fair notice that its alleged conduct could “fall within the meaning of” the text of Section 5.  Although it acknowledged that the text of Section 5 is “far from precise,” the court held that the statute provided notice to companies that the “relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”  Noting that Wyndham had been hacked three times, the court held that at a minimum, Wyndham was on notice after the second hack that a court could find that its cybersecurity practices failed the cost-benefit analysis under Section 5.  The court also noted that the FTC has “counseled against many of the specific practices alleged here,” both in its informal guidance and its complaints and consent decrees raising unfairness claims based on inadequate cybersecurity practices.  The court emphasized the presence of similar allegations in at least five of the FTC’s enforcement actions, including one enforcement action in 2006 against CardSystems Solutions that contained almost identical allegations.  Even though many of these decisions alleged a collection of violations under Section 5 and did not specify which violations were necessary or sufficient for an unfairness finding, the Third Circuit held that these enforcement actions could help companies gauge the possibility of liability under Section 5.

In addition, the Third Circuit rejected Wyndham’s argument that it could not have acted unfairly when it was victimized by hackers, finding that Wyndham’s alleged conduct did not fall outside of the “plain meaning” of “unfair.”  Notably, the Third Circuit held that an unfairness claim could be brought “on the basis of likely rather than actual injury.”  Although Wyndham’s conduct may not have been “the most proximate cause of an injury” within the context of the data breaches it suffered, this distinction did not immunize Wyndham from liability for foreseeable harms arising from the breaches.  While the FTC’s complaint did allege actual harm to consumers resulting from the Wyndham breaches in the form of over $10 million in fraudulent charges, this language could allow the FTC to continue bringing enforcement actions where no “actual” harm to consumers exists.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.