Established 1958 ~ Hardball Business Litigation & Complex Negotiations

Third Circuit Upholds FTC Cybersecurity Standards

The Third Circuit recently clarified the requirements for an “unfair practices” claim under §45 (a) of the Federal Trade Commission Act. FTC v. Wyndam Worldwide Corp., 799 F.3d 236 (3d Circ. 2015). In this case, the FTC brought claims of unfair and deceptive practices against Wyndham Worldwide Corporation (Wyndam) following data breaches of Wyndam’s computer systems. Wyndam is a hospitality company that franchises and manages hotels and timeshares through subsidiaries. In 2008 and 2009, Wyndam’s systems were hacked resulting in the theft of hundreds of thousands of consumers’ personal and financial information and over $10.6 million dollars in fraudulent charges. The FTC filed suit alleging that its failure to protect consumers’ information and deception regarding its privacy policy amounted to unfair practices. The District Court denied Wyndam’s motion to dismiss, and the Third Circuit ruled that the FTC had the authority to regulate cybersecurity under the unfairness prong of § 45 (a).

Under § 45 (a), the Federal Trade Commission (FTC) cannot declare an act to be an unfair practice unless it meets the following requirements: (1) It must be substantial; (2) it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and (3) it must be an injury that consumers themselves could not reasonably have avoided. While the statute lists these requirements, it does not answer whether these are the only requirements for finding unfair practices. Wyndam argued that the necessary conditions for unfair practices go beyond the listed elements based on the plain meaning of the word “unfair.” Wyndam further argued that practices are only “unfair” if they display unethical behavior, or are marked by injustice, partiality, or deception. The Court rejected this argument because it is unnecessary to read the plain meaning of “unfair” into the statute. Applying this rationale to this case, the Court stated that “a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing in adequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

However, Wyndam argued that even if cybersecurity would be covered by § 45 (a) as it was originally enacted that recent congressional provisions alter this meaning to exclude cybersecurity. The Court rejected this argument based on the FTC’s history of regulatory authority over cybersecurity issues. The Court found that while the FTC had not previously required companies to adopt fair information practice policies that earlier policy was not inconsistent with the FTC currently bringing unfairness actions against companies causing harm to consumers through inadequate cyber security practices. Furthermore, the Court also rejected Wyndam’s claims that it did not have fair notice of the FTC cybersecurity standards. The Court affirmed the District Court’s decision finding that Wyndam’s proposed requirements in addition to those listed in the statute were not persuasive.

For more information, call our business lawyers in Philadelphia at the Law Offices of Sidkoff, Pincus & Green at 215-574-0600 or contact us online.