On August 24, in a highly anticipated decision, the United States Third Circuit Court of Appeals unanimously affirmed the district court's ruling in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission ("FTC") has the authority to regulate a company's data security practices under Section 5 of the FTC Act, which broadly prohibits "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a) ("Section 5"). In a precedent-setting victory for the FTC, the Third Circuit further held that Wyndham - after being victimized by several data breaches - had fair notice that its cybersecurity practices could fall short of Section 5's "unfairness" standard. The court's decision endorses the FTC as a key cybersecurity regulator and is instructive for companies subject to the FTC's enforcement authority.

According to the FTC's complaint, on three separate occasions in 2008 and 2009, hackers accessed Wyndham's computer systems and obtained consumers' personal data, including payment card information. The attacks reportedly affected over 619,000 consumers and led to more than $10.6 million in fraudulent charges. In 2012, the FTC filed suit in federal district court claiming that Wyndham engaged in "unfair" and "deceptive" practices in violation of Section 5. In its complaint, the FTC alleged that the company's cybersecurity practices failed to address known security vulnerabilities, allowed the use of simple passwords, and did not use encryption, firewalls, current operating systems, and other commercially reasonable methods for protecting consumer data, which "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." The FTC also alleged that Wyndham's conduct was deceptive, in that its privacy policy misrepresented to consumers that it used "commercially reasonable efforts" to safeguard identifiable information. The district court denied Wyndham's motion to dismiss last April, and the Third Circuit granted an interlocutory appeal on two issues: (1) whether the FTC had authority to regulate cybersecurity under the unfairness prong of Section 5; and, if so, (2) whether Wyndham had fair notice that its specific cybersecurity practices could fall short of that provision.

The Court of Appeals first considered whether the FTC had regulatory authority to enforce cybersecurity standards under Section 5. The Court rejected Wyndham's arguments that the alleged conduct fell outside the plain meaning of "unfair." It specifically rejected an argument that "unfair" conduct required "unscrupulous" or "unethical" conduct, as unsupported by precedent. It similarly rejected Wyndham's interpretation that Section 5 could not contemplate a situation where the business itself is victimized by criminals. The Court found it unnecessary to determine whether "unfair" required acts that were "not equitable" or "marked by injustice, partiality, or deception," stating that Wyndham's allegedly deceptive privacy policy satisfied the definition regardless because, among other reasons, according to the FTC, Wyndham failed to invest in the appropriate security resources necessary to meet the privacy protections its written policies purported to provide its customers. Finally, the Court rejected Wyndham's argument that prior congressional implementation of cybersecurity legislation in particular industries excluded cybersecurity from the FTC's unfairness authority.

Wyndham also argued that notwithstanding whether its conduct was unfair under Section 5, the FTC failed to provide fair notice of the specific cybersecurity standards the company was required to implement and follow. Wyndham specifically pointed out that there was no rule, adjudication or document meriting deference in which the FTC affirmatively declared that cybersecurity practices can be unfair. The Court rejected this argument, stating that the relevant inquiry was not "whether Wyndham had fair notice of the FTC's interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires." The Court ruled that Wyndham was not entitled to know with "ascertainable certainty" what the FTC's interpretation of the statute was or what cybersecurity practices are required by Section 5. The Court further pointed out that Section 5's requirement of a cost-benefit analysis should have been instructive. While the statute by no means offered clear guidance, the Third Circuit nonetheless stated that "[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute." The Court ultimately concluded that Wyndham did have fair notice of the meaning of Section 5 in the context of cybersecurity and data privacy, pointing in support of that finding to the allegations that Wyndham had suffered three separate breaches, that it had taken insufficient action to protect against and that the FTC had in fact published a guidebook providing a checklist of practices that form a "sound data security plan."

The Third Circuit's opinion is undoubtedly an important one in the realm of cybersecurity law. While the FTC has steadily increased its enforcement activities against companies with inadequate cybersecurity measures since 2005, this is the first major case to affirm its authority to do so. While by no means a mandate on what companies must do to avoid allegations of "unfair" or "deceptive" cybersecurity practices, the case provides useful guidance to companies on how they should implement and develop their cybersecurity practices and offers examples of unacceptable or deficient practices that companies should be aware of and ward against.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.