Sep 4, 2015

Third Circuit Upholds FTC Authority on Cybersecurity

Alert | Corporate Compliance Alert

On August 24, 2015, the Third Circuit released its long awaited opinion in Federal Trade Commission v. Wyndham Worldwide Corp., et al., Case No. 14-3514, and affirmed a District Court’s finding that the Federal Trade Commission (the “FTC”) has authority to regulate cybersecurity under the “unfairness” prong of section 45(a) of the Federal Trade Commission Act. The ruling solidifies the FTC’s regulatory authority to pursue companies for failure to adequately secure customer and consumer data. The Court rejected Wyndham’s arguments that (a) unfair conduct necessarily required unscrupulous or unethical behavior; (b) unfair conduct required that the conduct be “marked by injustice, partiality, or deception”; and (c) that Wyndham could not be found to have engaged in unfair conduct where it itself was the victim of a crime. The Court also held that subsequent statutes, particularly the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, and recent amendments to the Fair Credit Reporting Act, did not operate to exclude general regulatory authority over cybersecurity issues by the FTC.

The opinion reserves the question of whether any data breach would fall within the unfairness prong of section 45(a). The Court made clear that Wyndham’s privacy policy, which made claims regarding protections for electronic customer data that were allegedly false, compelled a finding that the consumer’s injury was not reasonably avoidable, since the consumer would presumably rely on Wyndham’s representations in its privacy policy. But, the Court left open the possibility of a broader holding, stating in a footnote: “[n]o doubt there is an argument that consumers could not reasonably avoid injury even absent the misleading privacy policy . . . . We have no occasion to reach this question, as the parties have not raised it.”

The implications of the holding will only become apparent with time. Indeed, the FTC has brought complaints and entered into consent decrees since at least 2005 concerning cybersecurity failures, focusing on particularly egregious failures. Thus, the FTC has assumed this authority all along. Now the FTC is on surer ground than ever before, however, and given the nationwide, mainstream reportage on high profile breaches like the Sony and Ashley Madison hacks, it is fair to expect a more vigorous approach from the FTC going forward.

Please contact any of the following Roetzel attorneys for additional information regarding the implications of the Wyndham decision for your company.

View PDF