3rd Circuit Affirms FTC’s Authority to Regulate Data Security and Privacy

Data Security and privacy lawyers around the country have been closely monitoring the matter of FTC v. Wyndham Worldwide Corp pending in the 3rd Circuit.  The case arose over multiple data breaches suffered by Wyndham and its customers in 2008 and 2009.  Over $10 million fraudulent charges were booked as a result.  Wyndham faced civil litigation from consumers and shareholders alike.  Additionally, the FTC brought an action under its broad authority to pursue civil damages and injunctive relief for unfair business practices.  While a generalized term, unfair business practices under the FTC Act requires harm to consumers.  The FTC has reasoned in recent years that lax cybersecurity meets this standard because data breaches cause consumer harm.

It is worthwhile to keep in mind the facts that gave rise to the FTC’s action against Wyndham.  The FTC alleged that the aforementioned breach was caused by Wyndham’s nonchalant cyber security policies.  For example, Wyndham did not adequately protect the passwords to its property management system.  Rather than using complex passwords including numbers and caps, Wyndham protected its system with easily guessed passwords.  Additional bad facts for Wyndham include its practice of storing consumer’s payment information in plain, readable, unencrypted text.  This is a big sin in the security world.  Finally, Wyndham failed to implement industry standard privacy protections such as firewalls and segmented data storage.

Despite the above mentioned data security sins, perhaps the worst fact for Wyndham is that it promised consumers in its privacy policy that it used industry standard security measures.  That was clearly false under this fact pattern and likely was the straw that broke the camel’s back in the FTC bringing an action.  Consumer deception, and not just mere negligence, is typically what grabs the FTC’s attention in our experience defending FTC civil actions.

With this factual background squared away, we can turn our attention to the legal issue before the 3rd Circuit.  Wyndham argued that its actions were not “unfair” under the FTC Act.  Wyndham reasoned that it, like its customers, were victims of cyber criminals.  Wyndham essentially argued that it would be unfairly punished if the FTC were allowed to pile on with its own civil suit.  Wyndham additionally attacked a perceived vagueness in the FTC’s rules governing cybersecurity practices for businesses.  It argued that such vagueness rendered compliance impossible.

The Court rejected both lines of argument by Wyndham.  With respect to the argument that Wyndham’s victim status rendered it immune from liability for “unfair” business practices, the Court summarily stated that Wyndham provided no authority to support such a position.  With regard to the vagueness of the FTC’s cyber security rules, the Court stated that while the rules are not a model of clarity they do provide enough guidance for entities to follow with respect to adequate security standards.

This case has been followed closely by experts on all sides of the issue.  It is not debatable that cyber security is among the hottest and most rapidly developing practice areas.  The potential liability of a data breach can turn any case into bet the company litigation even for large concerns.  It appears that companies can expect the FTC to be a litigation combatant in addition to consumers, shareholders and state regulators.  We have seen a large rise in cases brought by the FTC and the trend will continue.

What lessons can be learned by companies like Wyndham?  Do not overpromise and under deliver with respect to your privacy policy.  Second, follow not only the FTC guidelines on cyber security but also follow the cases the FTC files.  To the extent that the FTC guidelines are fuzzy, clarity will often appear in the outcomes of cases in the various District Courts.  It is important to pay particular attention to the handling of matters by your local FTC branch.