In Commission Win, Appeals Court Agrees that FTC Can Regulate Business Data Security Practices Under Unfairness Authority
In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers' payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission's broad interpretation of its "unfairness" authority (opinion here). The ruling ratifies the FTC's authority in the domain of data
Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." For a decade, the FTC has taken enforcement actions against companies suffering data breaches, alleging that their security practices were
The Third Circuit affirmed the District Court's decision, finding that the FTC's allegations met the criteria for unfairness under Section 5. Specifically, the court concluded that to be unfair, conduct must be substantial, not outweighed by countervailing benefits to consumers, and the injury caused could not have reasonably avoided by consumers. The Court further found that subsequent legislation did not limit the FTC to specific grants of authority. The Third Circuit agreed with Wyndham that the company was entitled to some notice of what was required, but it found adequate notice through at least three factors: (1) a cost-benefit analysis "that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity," would provide notice to Wyndham of what measures the FTC Act required; (2) the FTC's 2007 guidebook, Protecting Personal Information: A Guide for Business (2011 update here), provided a checklist of practices that would create a "sound data security plan;" and (3) a number of administrative cases filed by the FTC addressed inadequate data security practices, and the allegations in "at least four or five complaints have close corollaries here." Those common allegations include:
- Storing payment card information in clear, readable text;
- Failing to assess and monitor network vulnerabilities and defenses (in Wyndham's case, the same intrusion methods were used multiple times);
- Failing to require
robust user ID and password combinations; - Failing to use readily available security features, such as firewalls;
- Failing to employ reasonable measures to detect and prevent unauthorized access to systems or to conduct security investigations.
The FTC's win here is robust, although it may be challenged if Wyndham chooses to appeal to the Supreme Court. Until another court finds differently, the Third Circuit's opinion stands as a strong message to companies to pay close attention to the FTC's guidance on data security, engage in thorough and rigorous exercises to assess the security of the sensitive data they
For more information on data security and privacy under the Federal Trade Commission Act and other federal and state laws, please contact Sheila A. Millar (millar@khlaw.com or +1 202 434.4143) or Tracy P. Marshall (marshall@khlaw.com or +1 202 434.4234). Blog posts on these and related subjects are posted on the Consumer Protection Connection blog.