Third Circuit Affirms FTC’s Cyber Security Enforcement Role
Yesterday, the FTC won once again in its ongoing battle with Wyndham Worldwide Corporation over its authority to enter into enforcement actions for lack of cyber security.
The FTC had cited Wyndham because intruders gained access to their network on three separate occasions involving similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels’ property management system servers, including customers’ payment card account numbers, expiration dates, and security codes. The FTC charged that after first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [their] network.”
In 2014, the New Jersey federal court denied Wyndham’s motion to dismiss the FTC’s complaint and that decision has now been affirmed by the Third Circuit Court of Appeal. Wyndham may still appeal to the Supreme Court..
FTC Chairwoman Ramirez stated in response,
Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.
The Third Circuit’s opinion rejected each of Wyndham’s three main arguments.
(1) Court Rejects Wyndham Attempt to Expand Unfair Requirement
Wyndham tried to graft on to the FTC Act’s definition of unfair three additional elements. It argued conduct must (i) injure consumers “through unscrupulous or unethical behavior”; (ii) be inequitable; and treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals. The Third Circuit dismissed these arguments.
(2) FTC Seeking Greater Authority in Cyber Security Not an Admission It Has No Authority
The Third Circuit also rejected Wyndham’s argument that the FTC somehow conceded it lacked authority by seeking express cyber security authority from Congress. The court explained that in seeking such authority, the FTC simply recognized that “existing authority may not be sufficient to effectively protect consumers with regard to all data privacy issues of potential concern (such as aspects of children’s online privacy).”
(3) Wyndham Had Sufficient Notice It Could Be Liable
The Court rejected Wyndham’s claim that it was entitled to know “with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a),” noting that instead “the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.”
Here the answer is “yes.” In 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Business (below). This, along with numerous consent actions including one in CardSystems Solutions, Inc., No. C-4168 (FTC 2006) that had nearly identical allegations, was sufficient to put Wyndham on notice.
In addition, since the consent decree was sought after Wyndham’s third security breach, Wyndham had sufficient notice of its potential exposure after the prior two breaches.
The opinion and the 2007 guidebook are below