- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
September 2nd, 2015
Federal Appeals Court Confirms FTC Can Bring “Unfairness” Claims in Data Security Breach Cases
The Third Circuit Court of Appeals affirmed this week that the Federal Trade Commission ("FTC") has the authority to declare companies' data security practices "unfair" under Section 5 of the FTC Act. The ruling stems from the FTC's groundbreaking dispute with Wyndham Worldwide Corporation ("Wyndham"), which has become one of the most widely followed and significant data security cases to date. The Third Circuit's recent decision has huge implications for advertisers and all custodians of sensitive customer data, and indicates that the FTC's enforcement efforts in the field of data security are likely to expand.
This case first started in 2012, when the FTC sued Wyndham over security breaches of the Wyndham computer systems that allegedly leaked 619,000 customers' personal information, including payment card account numbers, expiration dates, and security codes. The FTC alleged that, after discovering two previous security breaches of its systems by outside hackers, Wyndham "failed to take appropriate steps in a reasonable time frame" to prevent a third compromise of its network, failed to employ reasonable and appropriate measures to protect consumers' personal information against unauthorized access, and that such failures constituted practices that were not only "deceptive" but also "unfair" under Section 5 of the FTC Act.
Wyndham moved to dismiss the FTC's complaint, arguing that Congress never granted the FTC the authority to regulate private companies' cybersecurity practices, and the FTC exceeded its authority in declaring "unfair" Wyndham's failure to implement "commercially reasonable" methods (e.g., encryption, firewalls) for protecting consumer data. The federal trial court denied Wyndham's motion to dismiss the FTC's complaint. In her April 2014 decision, U.S. District Judge Esther Salas found, for the first time, that the FTC not only had authority to bring suits in the data security arena (despite the existence of specific data-security legislation enforced by other federal agencies), but that the FTC did not need to formally create any regulations before bringing an unfairness claim for data security breaches. This decision affirmed the FTC's power to pursue enforcement actions against private companies for their data security practices.
Although the trial court proceedings were not yet complete, Wyndham sought an interim review of the April decision. Such reviews — or "interlocutory" appeals — are rarely granted. However, in a victory for Wyndham, the Third Circuit agreed to consider two issues on interlocutory appeal:
- Whether the FTC can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and
- If so, whether Wyndham had "fair notice" that its own cybersecurity practices could be found "unfair" under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a);
The Third Circuit's Decision.
In an important opinion, the Third Circuit upheld Judge Salas' April 2014 ruling that the FTC has the authority under the unfairness prong of Section 5 of the FTC Act to bring lawsuits against private companies over their data security practices, and that the agency does not need to create a rule detailing what constitutes "reasonable" cybersecurity practices before exercising its authority to challenge a company's practices as inadequate, and thus "unfair" under the statute.
Indeed, as to Wyndham's fair notice challenge, the Third Circuit explained that the FTC Act already provides a general standard, in 15 U.S.C. § 45(n), for determining when an act or practice is unfair and in violation of the Act. This rule suggests that companies need to perform a standard cost-benefit analysis regarding the practices in question, and in this case, weigh an investment in stronger cybersecurity measures in light of the probability and expected size of reasonably unavoidable harms to consumers.
Additionally, the appeals court found Wyndham's fair notice challenge failed because the FTC had issued a guidebook in 2007 outlining a checklist of practices that form a "sound data security plan," including practices like the encryption of sensitive information and use of firewalls to protect against hacker attacks. The opinion noted that, while the guidebook doesn't state that any particular practice is required, it does counsel against many of the practices alleged in this case, and certainly would have helped Wyndham determine in advance that its conduct might not have been adequate under its own cost-benefit analysis.
The big message here is that companies with vulnerable data security regimens will have a lot of difficulty arguing in future cases that they lacked notice from the FTC of what specific cybersecurity practices are necessary. We note that the FTC has continued to expand its focus on data protection and privacy issues: the agency recently kicked of its "Start with Security" initiative, which provides practical resources to help guide US businesses on precisely the question at issue here — what constitutes "reasonable" security measures?
Meanwhile, the case will continue for Wyndham in the trial court, as the discovery process resumes.
If you have questions about data security, privacy, or other technology law issues, please contact S. Gregory Boyd, CIPM and CIPT at (212) 826 5581 or firstname.lastname@example.org, Jeremy Goldman, CIPP/US (212) 705 4843 or email@example.com, Rayna S. Lopyan, at (212) 705 4842 or firstname.lastname@example.org, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023
CPRA Regs: 8 New Obligations You Need to Know
On February 14, the CPPA, California’s new privacy regulatory agency, filed the first part of its proposed final CPRA Regs with California’s Office of Administrative Law (OAL). Read more.
February 21 2023
Privacy Considerations for 2023
2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) – take effect. Read more.
December 6 2022