On August 24, 2015, the Third Circuit affirmed U.S. District Court Judge Esther Salas’ April 2014 ruling in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) that the FTC has the authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act. (Prior blog posts on this case can be found here and here). In this highly anticipated precedential opinion, the Court decided that Wyndham’s cybersecurity practices as alleged by the FTC fit the definition of “unfair” when compared with its stated security policies. In doing so, the Court rejected Wyndham’s arguments that (i) its conduct fell outside the plain meaning of “unfair,” (ii) recent legislative acts (FCRA, GLB, COPPA) had reshaped Section 5 so as to exclude cybersecurity from the FTC’s authority, and (iii) the FTC’s interpretation of Section 5 was inconsistent with its efforts to obtain similar regulatory authority from Congress.
In the unanimous opinion, the Third Circuit also affirmed the District Court’s finding that the FTC provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices that the agency deems reasonable to avoid liability under the FTC Act. The court noted that, from the statutory text alone, Wyndham had fair notice that the “relevant inquiry” under the statute “is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” The court pointed to the FTC’s publicly available complaints in other matters, as well as the FTC’s Protecting Personal Information: A Guide for Business Guidebook published in 2007, as notice of what may constitute a Section 5 unfairness violation under a cost-benefit analysis. For example, the Guidebook in particular notes the importance of encrypting sensitive information, monitoring vulnerabilities, applying approved patches, implementing firewalls, utilizing strong passwords, setting access controls, and drafting and executing breach response plans.
Based on this opinion, companies should expect to see the FTC continue to flex its authority under the unfairness prong of Section 5 in policing companies’ data security practices. Companies would also be well advised to review recent FTC complaints, as well as the FTC’s 2007 Guidebook, to evaluate one’s data security standards in light of the cost-benefit analysis articulated by the Third Circuit. In the meantime, the Wyndham case will return to the District Court to move forward on the merits.