On Friday, March 27, 2015, the Federal Trade Commission and Wyndham Worldwide Corp. filed supplemental briefing in the Third Circuit regarding whether the FTC had made an adjudicative decision that the FTC Act prohibits unreasonable cybersecurity practices and, if not, whether a federal court could hear a case charging a violation of the FTC Act if the FTC has not yet made such an adjudicative decision.
Recall that, in FTC v. Wyndham Worldwide Corp. et al., the FTC has alleged that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information. Unsurprisingly, the parties held diametrical opinions on the issue of whether the FTC had declared unreasonable cybersecurity practices unfair through the procedures of the FTC Act. The FTC began by arguing that it had done so through the issuance of an interlocutory decision in LabMD. Wyndham countered, noting that the interlocutory decision denying a motion to dismiss in LabMD was not final, and therefore could not amount to a formal declaration about the meaning of unfairness.
Next, the FTC argued that it had declared unreasonable cybersecurity practices through the issuance of more than 20 complaints charging as much. The FTC argued that “complaints are akin to policy statements or interpretive rulings,” which litigants and the courts may resort to for guidance, and that the FTC’s issuance of more than 20 complaints charging deficient data security practices are unfair was therefore sufficient to satisfy any requirement that the FTC have declared unreasonable cybersecurity practices unfair through procedures of the FTC Act. It is worth noting that, in making this argument, the FTC cited to a 2014 Third Circuit case which stated that courts and litigants may look to agency policy statements and interpretive rules for guidance. However, the same case also noted that such statements “do not have the force of law,” raising the question of whether they could be considered adjudicative decisions. Wyndham highlighted this point, arguing that because complaints and consent decrees do not adjudicate the legality of any action by a party thereto, they cannot constitute a declaration of law on any issue, including that unreasonable cybersecurity practices are unfair. “Try as it might,” Wyndham said, “the Commission cannot transform complaints and consent decrees into rules and adjudications.”
Finally, the FTC argued that it had declared unreasonable cybersecurity practices unfair through the giving of Congressional testimony stating that the FTC deemed inadequate data security to be a potentially unfair practice. This possibility was not addressed by Wyndham.
The above dispute aside, both parties agreed that the Third Circuit need not decide the issue of whether the case is a “proper case” within the meaning of Section 13(b) of the FTC Act and therefore appropriately before the federal court. Both parties noted that neither had raised the issue and that, in any event, resolution of the issue was not necessary to establish jurisdiction as the federal courts independently have jurisdiction of the case pursuant to 28 U.S.C. §§ 1331, 1337, and 1345. The parties also both noted that many courts have held that a “proper case” is any case that the Commission chooses to bring directly in court for violation of an FTC-enforced statue and that, were the Third Circuit to hold otherwise, it would create a circuit conflict.