Frankfurt Kurnit Klein & Selz

September 2nd, 2015

Federal Appeals Court Confirms FTC Can Bring “Unfairness” Claims in Data Security Breach Cases

The Third Circuit Court of Appeals affirmed this week that the Federal Trade Commission ("FTC") has the authority to declare companies' data security practices "unfair" under Section 5 of the FTC Act. The ruling stems from the FTC's groundbreaking dispute with Wyndham Worldwide Corporation ("Wyndham"), which has become one of the most widely followed and significant data security cases to date. The Third Circuit's recent decision has huge implications for advertisers and all custodians of sensitive customer data, and indicates that the FTC's enforcement efforts in the field of data security are likely to expand.  

Background.

This case first started in 2012, when the FTC sued Wyndham over security breaches of the Wyndham computer systems that allegedly leaked 619,000 customers' personal information, including payment card account numbers, expiration dates, and security codes. The FTC alleged that, after discovering two previous security breaches of its systems by outside hackers, Wyndham "failed to take appropriate steps in a reasonable time frame" to prevent a third compromise of its network, failed to employ reasonable and appropriate measures to protect consumers' personal information against unauthorized access, and that such failures constituted practices that were not only "deceptive" but also "unfair" under Section 5 of the FTC Act.

Wyndham moved to dismiss the FTC's complaint, arguing that Congress never granted the FTC the authority to regulate private companies' cybersecurity practices, and the FTC exceeded its authority in declaring "unfair" Wyndham's failure to implement "commercially reasonable" methods (e.g., encryption, firewalls) for protecting consumer data. The federal trial court denied Wyndham's motion to dismiss the FTC's complaint. In her April 2014 decision, U.S. District Judge Esther Salas found, for the first time, that the FTC not only had authority to bring suits in the data security arena (despite the existence of specific data-security legislation enforced by other federal agencies), but that the FTC did not need to formally create  any regulations before bringing an unfairness claim for data security breaches. This decision affirmed the FTC's power to pursue enforcement actions against private companies for their data security practices. 

Although the trial court proceedings were not yet complete, Wyndham sought an interim review of the April decision. Such reviews — or "interlocutory" appeals —  are rarely granted. However, in a victory for Wyndham, the Third Circuit agreed to consider two issues on interlocutory appeal: 

• Whether the FTC can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and
• If so, whether Wyndham had "fair notice" that its own cybersecurity practices could be found "unfair" under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a);

The Third Circuit's Decision.

In an important opinion, the Third Circuit upheld Judge Salas' April 2014 ruling that the FTC has the authority under the unfairness prong of Section 5 of the FTC Act to bring lawsuits against private companies over their data security practices, and that the agency does not need to create a rule detailing what constitutes "reasonable" cybersecurity practices before exercising its authority to challenge a company's practices as inadequate, and thus "unfair" under the statute.  

Indeed, as to Wyndham's fair notice challenge, the Third Circuit explained that the FTC Act already provides a general standard, in 15 U.S.C. § 45(n), for determining when an act or practice is unfair and in violation of the Act. This rule suggests that companies need to perform a standard cost-benefit analysis regarding the practices in question, and in this case, weigh an investment in stronger cybersecurity measures in light of the probability and expected size of reasonably unavoidable harms to consumers.

Additionally, the appeals court  found Wyndham's fair notice challenge failed because the FTC had issued a guidebook in 2007 outlining a checklist of practices that form a "sound data security plan," including practices like the encryption of sensitive information and use of firewalls to protect against hacker attacks. The opinion noted that, while the guidebook doesn't state that any particular practice is required, it does counsel against many of the practices alleged in this case, and certainly would have helped Wyndham determine in advance that its conduct might not have been adequate under its own cost-benefit analysis. 

The Take-Away.

The big message here is that companies with vulnerable data security regimens will have a lot of difficulty arguing in future cases that they lacked notice from the FTC of what specific cybersecurity practices are necessary. We note that the FTC has continued to expand its focus on data protection and privacy issues: the agency recently kicked of its "Start with Security" initiative, which provides practical resources to help guide US businesses on precisely the question at issue here — what constitutes "reasonable" security measures?

Meanwhile, the case will continue for Wyndham in the trial court, as the discovery process resumes.  

If you have questions about data security, privacy, or other technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman, CIPP/US (212) 705 4843 or jgoldman@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.