Months. Actually, years. That’s how long the notion has been brewing that the Federal Trade Commission has no authority to enforce reasonable data security under the unfairness prong of FTC Act Section 5. The stakes are high – the FTC can pursue essentially any commercial company under the FTC Act for unfair or deceptive trade practices in interstate commerce. And if the FTC indeed has the authority to take any such company to court for “unfair” data security practices under Section 5, without any FTC regulations under Section 5 setting standards for exactly what constitutes adequate data security… well, one can appreciate why many in the general business community are uneasy.

When the FTC sued Wyndham in federal court for inadequate data security, Wyndham raised every argument its lawyers could think of to dismiss the FTC’s unfairness claims.  After failing to convince the trial court, Wyndham next took an interlocutory appeal to the Third Circuit Court of Appeals, the first appellate court to ever consider this issue, and asked that the FTC be stopped. But instead of a red light (a ruling of no FTC authority) or a yellow light (a ruling on other grounds), the Third Circuit Court of Appeal’s decision, handed down this week, gives the FTC a clear green light to pursue its claims against Wyndham for alleged unreasonable data security as an unfair business practice.

Key rulings 

  • Congress intentionally declined to identify the specific practices that FTC Act Section 5 prohibits as “unfair.” Instead, Congress left “unfair” as a flexible concept for the FTC to develop, subject to Section 5’s 1994 amendment requiring that such practices (1) cause or are likely to cause substantial injury to consumers (2) that consumers cannot reasonably avoid and (3) that is not outweighed by countervailing benefits to consumers or competition. And deceptive conduct, such as a company misrepresenting its security safeguards, can be pertinent to whether consumers could have reasonably avoided providing their personal information in the first place.
  • Though hackers may be the direct cause of a security breach, a victim company’s inadequate security practices can nevertheless be “unfair” under Section 5 by making it more likely that consumers will be substantially injured. Wyndham argued that this interpretation would make the FTC’s authority endless, likening it to the FTC suing supermarkets that are “sloppy about sweeping up banana peels.” The court responded that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability” under Section 5.
  • Yes, Congress has indeed given the FTC specific regulatory authority for data security under other statutes that focus on particular industries or activities, but this does not limit the FTC’s authority under Section 5.
  • (Bear with us – this one’s convoluted, but important) The court directly interpreted FTC Act Section 5 in this case, rather than relying on or deferring to the FTC’s administrative interpretation of the statute. As a result, Wyndham was not entitled to  ‘fair notice” or “ascertainable certainty” of the FTC’s interpretation of what data security practices are “unfair” under Section 5, through either FTC regulations (there are none under Section 5 for data security) or agency adjudications (prior agency enforcement actions on data security were settled, not adjudicated). Instead, Wyndham was only entitled to “fair notice” of the statute itself – perhaps the only argument not squarely raised by Wyndham.
  • Wyndham had fair notice of how FTC Section 5 related to Wyndham’s security practices. According to the court, the statute “informs parties that the relevant inquiry here is a cost-benefit analysis … that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” The court concluded that Wyndham’s alleged lack of security safeguards and that Wyndham was allegedly hacked multiple times, along with prior FTC published guidance and enforcement settlements, were enough in this case to provide fair notice.

What this means

This ruling affirms the denial of Wyndham’s motion to dismiss – the case will now proceed through discovery to settlement or trial. But, unless and until the U.S. Supreme Court takes the case and reverses the Third Circuit’s decision, or a different case in a different federal circuit has a different result, the FTC has a green light to sue commercial companies in court for inadequate data security as an unfair business practice under the FTC Act.

And yes, according to the Third Circuit Court of Appeals, the FTC’s prior agency enforcement actions on data security do not bind federal courts in deciding what security practices are “unfair” under FTC Act Section 5. But that misses the point. Remember, FTC lawsuits over data security only make it to court if the FTC files them in the first place. And the FTC’s history of data security administrative enforcement, coupled with published FTC guidance, are indispensable for understanding The FTC’s views – and litigation priorities – on adequate data security.

For a briefing paper analyzing the FTC’s data security positions in over 50 administrative enforcement actions under FTC Act Section 5, the Gramm-Leach-Bliley Act, FACTA, and COPPA, click here.