Data Security and privacy lawyers around the country have been closely monitoring the matter of FTC v. Wyndham Worldwide Corp pending in the 3rd Circuit. The case arose over multiple data breaches suffered by Wyndham and its customers in 2008 and 2009. Over $10 million fraudulent charges were booked as a result. Wyndham faced civil litigation from consumers and shareholders alike. Additionally, the FTC brought an action under its broad authority to pursue civil damages and injunctive relief for unfair business practices. While a generalized term, unfair business practices under the FTC Act requires harm to consumers. The FTC has reasoned in recent years that lax cybersecurity meets this standard because data breaches cause consumer harm.
It is worthwhile to keep in mind the facts that gave rise to the FTC’s action against Wyndham. The FTC alleged that the aforementioned breach was caused by Wyndham’s nonchalant cyber security policies. For example, Wyndham did not adequately protect the passwords to its property management system. Rather than using complex passwords including numbers and caps, Wyndham protected its system with easily guessed passwords. Additional bad facts for Wyndham include its practice of storing consumer’s payment information in plain, readable, unencrypted text. This is a big sin in the security world. Finally, Wyndham failed to implement industry standard privacy protections such as firewalls and segmented data storage.
With this factual background squared away, we can turn our attention to the legal issue before the 3rd Circuit. Wyndham argued that its actions were not “unfair” under the FTC Act. Wyndham reasoned that it, like its customers, were victims of cyber criminals. Wyndham essentially argued that it would be unfairly punished if the FTC were allowed to pile on with its own civil suit. Wyndham additionally attacked a perceived vagueness in the FTC’s rules governing cybersecurity practices for businesses. It argued that such vagueness rendered compliance impossible.
The Court rejected both lines of argument by Wyndham. With respect to the argument that Wyndham’s victim status rendered it immune from liability for “unfair” business practices, the Court summarily stated that Wyndham provided no authority to support such a position. With regard to the vagueness of the FTC’s cyber security rules, the Court stated that while the rules are not a model of clarity they do provide enough guidance for entities to follow with respect to adequate security standards.
This case has been followed closely by experts on all sides of the issue. It is not debatable that cyber security is among the hottest and most rapidly developing practice areas. The potential liability of a data breach can turn any case into bet the company litigation even for large concerns. It appears that companies can expect the FTC to be a litigation combatant in addition to consumers, shareholders and state regulators. We have seen a large rise in cases brought by the FTC and the trend will continue.