The U.S. Court of Appeals for the Third Circuit, affirming a decision by the U.S. District Court for the District of New Jersey, has ruled that the Federal Trade Commission (FTC) indeed has the authority to bring enforcement actions against companies with allegedly deficient cybersecurity measures that fail to protect consumer data against hackers, as it has done in many previous instances.

Background

The FTC has become the primary privacy regulatory agency enforcing commercial data security practices, exercising its right to regulate "unfair or deceptive acts or practices in or effecting commerce" pursuant to Section 5(a) of the Federal Trade Commission Act (the Act). On three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation's computer systems. In total, the hackers allegedly stole the personal and financial information of hundreds of thousands of consumers, leading to over $10.6 million in fraudulent charges. While the vast majority of targets of FTC data security enforcement actions choose to settle, Wyndham chose to fight the matter and challenge the FTC's authority to pursue the matter.

The FTC sued Wyndham in June 2012, alleging that Wyndham's conduct was an unfair practice and that its privacy policy was deceptive. In particular, the FTC alleged that, at least since April 2008, Wyndham had been engaging in unfair cybersecurity practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

In 2014, the district court denied Wyndham's motion to dismiss. Wyndham appealed to the Third Circuit, arguing that the FTC did not have the authority to regulate cybersecurity under the unfairness prong of the Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."

The Third Circuit's Decision

In affirming the district court decision, the Third Circuit rejected Wyndham's arguments that conduct was only "unfair" for purposes of the Act (i) when consumers are injured "through unscrupulous or unethical behavior," (ii) if its conduct was "not equitable," or (iii) if its conduct was "marked by injustice, partiality, or deception." Stating that "facts relevant to unfairness and deception claims frequently overlap," the Third Circuit ruled that Wyndham had not acted equitably when it published a privacy policy to attract customers who were concerned about data privacy, failed to make good on that promise by "investing inadequate resources in cybersecurity," exposed its unsuspecting customers to "substantial financial injury," and retained the profits of their business.

Moreover, the Third Circuit was not persuaded by Wyndham's assertion that a business did not treat its customers in an "unfair" manner when the business itself was "victimized by criminals," finding no reasoning or authority for this principle. In the circuit court's view, that a company's conduct was not the most proximate cause of an injury generally did "not immunize liability from foreseeable harms." (The Third Circuit noted that there was "good reason" that Wyndham had not argued that the cybersecurity intrusions it had suffered were unforeseeable, since that argument would have been "particularly implausible as to the second and third attacks.")

Wyndham had alleged that the FTC's support of various new privacy and data security legislation amounted to an acknowledgement by the FTC that it presently lacked the authority to pursue these matters. Ultimately, the Third Circuit declared that it would not interpret amendments to the federal Fair Credit Reporting Act, the enactment of the federal Children's Online Privacy Protection Act, or Congress' failure to enact specific cybersecurity legislation to exclude cybersecurity from Section 5(a).

Bottom Line

For the past decade, the FTC has been bringing administrative actions under the Act against companies with allegedly deficient data security practices that failed to protect consumer data against hackers; the vast majority of these matters have ended in settlement. Now, with the Third Circuit's decision affirming the FTC's authority to hold companies accountable for failing to safeguard consumer data, one can expect an emboldened FTC to take even more action. All companies, especially those that store or maintain any sensitive financial or personal information, should use this ruling as a reason to re-assess their current cybersecurity practices to ensure that they are consistent with and accurately disclosed under all public representations about these practices, and that they have taken adequate steps to protect consumer data from unauthorized access.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.