In a widely anticipated opinion, the Third Circuit on August 24, 2015, left no doubt about the Federal Trade Commission’s (FTC) authority to prosecute cybersecurity actions. The Court determined in FTC v. Wyndham1 that:
-
The FTC could prosecute cybersecurity cases under the unfair or deceptive acts provisions of The Federal Trade Commission Act (FTCA)
-
The FTC’s past investigations and publications (and the statute itself) provided sufficient notice to businesses of potential liability under the Act
In short, the era of FTC investigations of and enforcement actions against businesses relating to the implementation and execution of appropriate cybersecurity protection measures is here.
Facts
The Wyndham case arose from multiple cybersecurity breaches suffered by Wyndham Worldwide Corporation in 2008 and 2009. The FTC brought an action against Wyndham contending that it engaged in unfair cybersecurity practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Specifically, the FTC charged that the defendant:
-
Improperly stored payment card information
-
Allowed the use of easily guessed passwords to access property management systems
-
Failed to use available security measures such as firewalls
-
Failed to implement cybersecurity policies and procedures (including the use of an obsolete operating system)
-
Failed to maintain an adequate inventory of computers connected to its network
-
Failed to restrict access to cyber information
-
Failed to institute measures to detect and prevent unauthorized access
-
Failed to follow proper incident response procedures
Unfairness
The defendant argued that cybersecurity practices could not be determined to be unfair under the FTCA. The Court found that a determination by the FTC that a particular practice “causes substantial injury to consumers” was sufficient to be deemed unfair. The FTC also made short work of the defendant’s argument that an unfair practice also must be inequitable, noting that “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Wyndham, p. 17. The Court also noted that unfair acts might include deceptive acts under the statute and that such claims “may be brought on the basis of likely, rather than actual, injury.”
Notice
Having determined that the FTC has the authority to prosecute cases regarding cybersecurity issues, the Court next turned to whether the defendant received proper notice of its potential liability under the FTCA. The Third Circuit confirmed that proper notice had been given because the FTC had frequently publicized its beliefs that cybersecurity practices could be determined unfair under the statute through public statements, publicized prosecutions and investigations, the FTC’s website, and the Federal Register. Further, the Court held that because the statute was civil rather than criminal, the standards for fair notice are lax. The less stringent standards were held particularly applicable where the statute regulates economic issues. The Court found that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”
Path Forward
How does the FTC decision impact businesses? First, there is no question that the FTC will continue to investigate and prosecute cybersecurity matters with vigor. Second, the Wyndham decision stands as public notice to companies that they must adopt industry-recognized cybersecurity measures conforming to the emerging standard of care and ensure those measures are implemented and reviewed regularly. The Third Circuit even described a preliminary list of cybersecurity practices, which may lead to FTC action under § 45(a) and (n):
-
Storing personal information in vulnerable format
-
Failing to assess the vulnerabilities of web applications and computer networks to reasonably foreseeable attacks, including failing to implement defenses to those vulnerabilities
-
Failing to use strong passwords to prevent access to the network
-
Failing to use security measures to prevent access between computers in the network as well as the Internet
-
Failing to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations
Wyndham, pp. 45-46.
Finally, the Court makes clear that the claimed injury to consumers and/or competitors under § 45 (a) and (n) need not be actual — just likely. Such a standard will likely encourage plaintiffs to file complaints under the statute given the less onerous proof of injury requirements.
The Wyndham decision is the latest in a line of events and court cases to elevate cybersecurity on the list of enterprise concerns, and to extend cybersecurity responsibility beyond the sole province of IT. Companies must ensure that they have created, implemented, and reviewed their cybersecurity policies and evaluated the strength of their security defenses – and are prepared to demonstrate that they have done so. These defenses include addressing threats posed by employees, contractors, and business partners. Failure to do so will not only create vulnerability to security breaches, but may be met with an invigorated FTC investigation and consumer actions, and increased operational and liability exposure.
1Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (U.S. Ct. of Appeals, Third Circuit, August 24, 2015, Case No.: 14-3514, herein “Wyndham”)