United States: Federal Trade Commission Given Power To Police Cybersecurity

The United States Third Circuit Court of Appeals has affirmed the Federal Trade Commission's authority to police cybersecurity under section 5(a) of the Federal Trade Commission Act (FTC Act).

What does this mean? Well, for starters... Let's look back:

In FTC v. Wyndham Worldwide Corp., 10 F.Supp.3d 602 (D.N.J. 2014), the FTC sued Wyndham hotels after three data breaches exposed sensitive customer financial data. In its complaint, the FTC alleged that Wyndham misrepresented its safeguards to protect consumer information and failed to maintain reasonable data security practices.

In response, Wyndham challenged the FTC's authority to enforce data security standards with two arguments. First, Wyndham argued that Congress precluded the FTC's jurisdiction over data security by adopting specific security legislation (e.g. the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996). Second, Wyndham argued that the FTC could not bring an enforcement action unless it first published "rules, regulations, or other guidelines" setting out the acceptable cybersecurity standards.

The Third Circuit rejected both of Wyndham's arguments, concluding that the FTC can police cybersecurity because (1) inadequate data-security practices constitute "unfair acts or practices" under section 5(a) of the FTC Act, and (2) companies, including Wyndham, have "fair notice" regarding the cybersecurity practices deemed reasonable by the FTC Act.

So, what does the Third Circuit's decision mean looking forward?

It means that the FTC is likely to continue to seek consent decrees or bring enforcement actions against companies for inadequate data-security practices that compromise consumer data. Thus, companies should pay careful attention to lessons learned from the more than 50 law enforcement actions the FTC has brought thus far. To that end, the FTC has provided a resource in the form of recently issued security guide, which references those enforcement actions and provides a best practices overview of data security practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.