data breach

The U.S. Court of Appeals for the 3rd Circuit released its much-anticipated ruling in Federal Trade Commission v. Wyndham Worldwide Corp. on August 24, 2015, unanimously upholding the FTC’s authority to regulate companies’ data security practices under Section 5 of the Federal Trade Commission Act (FTC Act).

The 3rd Circuit’s ruling came in response to a suit brought by the FTC in federal court alleging that Wyndham engaged in unfair and deceptive practices surrounding three data breaches in 2008 and 2009 that, “taken together,  unreasonably and unnecessarily exposed [hundreds of thousands of] consumers’ personal data to unauthorized access and theft,” which led to over $10.6 million in fraudulent charges. In its 2012 complaint against Wyndham, the FTC alleged that Wyndham had engaged in the following deficient cybersecurity practices since at least 2008:

  • payment card information was stored in clear readable text (rather than encrypted);
  • simple, easily guessed passwords were used to access property management systems (rather than complex and unique passwords in combination with multi-factor authentication);
  • readily available security measures were not used to limit access between systems (like firewalls which could have segmented networks);
  • adequate information policies and procedures were not implemented (like automated security patching; one system had not been updated for over three years);
  • access was not restricted to third party vendors (like restricting access to specified IP addresses for a specific period of time, or otherwise limiting access as necessary);
  • reasonable measures to detect and prevent unauthorized access were not used (like intrusion prevention and intrusion detection systems); and
  • proper incident response procedures were not followed (like monitoring a network to identify methods of attack and remediating vulnerabilities).

Wyndham had asked the lower court to dismiss the suit, claiming that the FTC is not empowered to police companies’ data security practices under its authority to regulate unfair practices pursuant to Section 5. Conversely, Wyndham also argued that the FTC had not given companies “fair notice” of the data security standards that the agency would enforce. The district court denied Wyndham’s motion to dismiss but permitted the company to seek an appeal, which was accepted by the 3rd Circuit.

On appeal, Wyndham did not challenge the FTC’s allegation that Wyndham overstated the company’s cybersecurity and, contrary to its published privacy policy which suggested it took steps to safeguard confidential information, actually “did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.”

On the merits, the 3rd Circuit agreed with the FTC and rejected Wyndham’s arguments, holding that the agency has the authority under the FTC Act’s “unfairness” prong to conduct enforcement actions against companies for having inadequate data security. In doing so, the court cited the language in 15 U.S.C. § 45(n) as part of the basis for its decision, which states in relevant part that:

The Commission shall have no authority under this [Section 5] … to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

In the case at hand, the court found that consumers could not have reasonably avoided the injury because Wyndham’s published privacy policy misled consumers by overstating its cybersecurity practices. The 3rd Circuit also rebuffed Wyndham’s fair notice claim stating that it was not entitled to know with “ascertainable certainty” what cybersecurity standards the FTC would require of it.

The court held that, at this stage of the proceedings (i.e., a ruling on a Motion to Dismiss), “the relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.” Instead, fair notice is met if a company could “reasonably foresee that a court could construe [a company’s] conduct as falling within the meaning of the statute.” 

Wyndham’s lack of “any” firewalls, encryption for certain customer files password requirements, accompanied by a series of three security breaches, convinced the court that Wyndham should have been on notice of the possibility that a court could find that its practices were unreasonable. This, in addition to published guidance and multiple other FTC consent decrees, led to the failure of Wyndham’s fair notice challenge.

It remains to be seen whether Wyndham will seek further review of this decision, or whether it will now move on to defending the merits of the case. In any event, unless and until there is further appellate review or a challenge in another Circuit that is resolved against the FTC, the threshold issue of the FTC’s authority to police and enforce companies’ cybersecurity policies and practices is now established.