• Third Circuit Says FTC Has Jurisdiction Over Cybersecurity And Privacy Practices
  • September 1, 2015 | Author: Larry A. Silverman
  • Law Firm: Dickie, McCamey & Chilcote, P.C. - Pittsburgh Office
  • In a closely watched case, the U.S. Court of Appeals for the Third Circuit has affirmed that the Federal Trade Commission has jurisdiction over charges that Wyndham Worldwide Corporation’s cybersecurity and privacy practices were “unfair” under 15 U.S.C. section 45(a). FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).

    The FTC had filed suit against Wyndham in 2012 citing three occasions where hackers had gained access to the hotel chain’s computer system and stolen personal and financial information from hundreds of thousands of customers during 2008 and 2009. In its complaint, the FTC charged that Wyndham “engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

    In particular, the FTC noted that Wyndham: (i) permitted hotels to store payment information in clear readable text; (ii) allowed the use of easily guessed passwords to access the property management system; (iii) failed to use “readily available security measures,” such as firewalls, to limit access between its systems; and (iv) failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.” Additionally, the FTC charged that Wyndham’s Privacy Policy misrepresented its capacity and ability to withstand such data breaches.

    Collectively, the FTC alleged because of these practices Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. § 45(a).

    Wyndham filed a motion to dismiss the FTC’s action, which the U.S. District Court for the District of New Jersey denied. However, the Court certified its decision on the unfairness claim for interlocutory appeal.

    In holding that the FTC did have jurisdiction over these claims, the Court initially cited a 1980 policy statement issued by the FTC noting that, in that policy statement, the FTC had clarified that the injury must satisfy three tests in order to justify a finding of unfairness and that Congress later codified the FTC’s three-pronged test in 15 U.S.C. § 45(n). Under this test, the injury: (i) must be substantial; (ii) must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and (iii) must be an injury that consumers themselves could not reasonably have avoided.

    In support of its reasoning, the Court highlighted a number of Wyndham’s practices that it did not consider “equitable.” One such practice was the language in Wyndham’s Privacy Policy, where the Court highlighted that a company does not act equitably when it publishes a Privacy Policy to attract customers who are concerned about data privacy and then fails to make good on that promise and thereby exposes its customers to financial injury.

    Wyndham also argued on appeal that, notwithstanding whether its conduct was unfair under section 45, the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow. In rejecting this argument, the Court held that the relevant question is not whether Wyndham was entitled to know with “ascertainable certainty” the FTC’s interpretation of what cybersecurity practices are statutorily required but rather whether the company had fair notice that its conduct could fall within the meaning of the statute.

    The Wyndham case has been closely watched, as regulators and the public seek to hold companies responsible for cyber breaches and related privacy practices. The Third Circuit’s decision clears the way for the FTC to prosecute more companies that fail to adequately secure their technology systems and fail to accurately disclose the privacy security practices they employ in their Privacy Policy.