Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
September 2nd, 2015
Federal Appeals Court Confirms FTC Can Bring “Unfairness” Claims in Data Security Breach Cases
The Third Circuit Court of Appeals affirmed this week that the Federal Trade Commission ("FTC") has the authority to declare companies' data security practices "unfair" under Section 5 of the FTC Act. The ruling stems from the FTC's groundbreaking dispute with Wyndham Worldwide Corporation ("Wyndham"), which has become one of the most widely followed and significant data security cases to date. The Third Circuit's recent decision has huge implications for advertisers and all custodians of sensitive customer data, and indicates that the FTC's enforcement efforts in the field of data security are likely to expand.
Background.
This case first started in 2012, when the FTC sued Wyndham over security breaches of the Wyndham computer systems that allegedly leaked 619,000 customers' personal information, including payment card account numbers, expiration dates, and security codes. The FTC alleged that, after discovering two previous security breaches of its systems by outside hackers, Wyndham "failed to take appropriate steps in a reasonable time frame" to prevent a third compromise of its network, failed to employ reasonable and appropriate measures to protect consumers' personal information against unauthorized access, and that such failures constituted practices that were not only "deceptive" but also "unfair" under Section 5 of the FTC Act.
Wyndham moved to dismiss the FTC's complaint, arguing that Congress never granted the FTC the authority to regulate private companies' cybersecurity practices, and the FTC exceeded its authority in declaring "unfair" Wyndham's failure to implement "commercially reasonable" methods (e.g., encryption, firewalls) for protecting consumer data. The federal trial court denied Wyndham's motion to dismiss the FTC's complaint. In her April 2014 decision, U.S. District Judge Esther Salas found, for the first time, that the FTC not only had authority to bring suits in the data security arena (despite the existence of specific data-security legislation enforced by other federal agencies), but that the FTC did not need to formally create any regulations before bringing an unfairness claim for data security breaches. This decision affirmed the FTC's power to pursue enforcement actions against private companies for their data security practices.
Although the trial court proceedings were not yet complete, Wyndham sought an interim review of the April decision. Such reviews — or "interlocutory" appeals — are rarely granted. However, in a victory for Wyndham, the Third Circuit agreed to consider two issues on interlocutory appeal:
- Whether the FTC can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and
- If so, whether Wyndham had "fair notice" that its own cybersecurity practices could be found "unfair" under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a);
The Third Circuit's Decision.
In an important opinion, the Third Circuit upheld Judge Salas' April 2014 ruling that the FTC has the authority under the unfairness prong of Section 5 of the FTC Act to bring lawsuits against private companies over their data security practices, and that the agency does not need to create a rule detailing what constitutes "reasonable" cybersecurity practices before exercising its authority to challenge a company's practices as inadequate, and thus "unfair" under the statute.
Indeed, as to Wyndham's fair notice challenge, the Third Circuit explained that the FTC Act already provides a general standard, in 15 U.S.C. § 45(n), for determining when an act or practice is unfair and in violation of the Act. This rule suggests that companies need to perform a standard cost-benefit analysis regarding the practices in question, and in this case, weigh an investment in stronger cybersecurity measures in light of the probability and expected size of reasonably unavoidable harms to consumers.
Additionally, the appeals court found Wyndham's fair notice challenge failed because the FTC had issued a guidebook in 2007 outlining a checklist of practices that form a "sound data security plan," including practices like the encryption of sensitive information and use of firewalls to protect against hacker attacks. The opinion noted that, while the guidebook doesn't state that any particular practice is required, it does counsel against many of the practices alleged in this case, and certainly would have helped Wyndham determine in advance that its conduct might not have been adequate under its own cost-benefit analysis.
The Take-Away.
The big message here is that companies with vulnerable data security regimens will have a lot of difficulty arguing in future cases that they lacked notice from the FTC of what specific cybersecurity practices are necessary. We note that the FTC has continued to expand its focus on data protection and privacy issues: the agency recently kicked of its "Start with Security" initiative, which provides practical resources to help guide US businesses on precisely the question at issue here — what constitutes "reasonable" security measures?
Meanwhile, the case will continue for Wyndham in the trial court, as the discovery process resumes.
If you have questions about data security, privacy, or other technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman, CIPP/US (212) 705 4843 or jgoldman@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023