By Julie Liu
As we know well from news coverage of hacks and leaked information, consumers and employees take a gamble whenever they give their personal information to a company. Consciously or not, these individuals count on the company’s technological savvy in combination with its data security policies to keep the information safe. While this status has not changed much since businesses first became digitized, regulations are gradually catching up. For the Federal Trade Commission (FTC), cybersecurity has been a top priority in recent years, and it will likely tighten its grip on businesses with inadequate security measures.
Late last month, the U.S. Court of Appeals for the Third Circuit issued its long-awaited ruling in FTC v. Wyndham Worldwide Corporation, a case which reevaluated the FTC’s authority to regulate cybersecurity. Litigation began in 2012 when the FTC sued Wyndham Worldwide, a hotel chain company, for unfair business practices. The FTC alleged that Wyndham’s inadequate data security led to three data breaches at Wyndham hotels in two years. According to the complaint, these breaches compromised more than 619,000 payment card accounts and caused over $10.6 million in fraud loss. Wyndham responded with a motion to dismiss the complaint, arguing that the FTC did not have the authority to bring the suit in the first place. The district court denied the motion last year, and the Third Circuit has now affirmed this order on interlocutory appeal.
According to the Third Circuit, the FTC’s regulatory power does extend to cybersecurity under Section 5 of the FTC Act (governing “unfair methods of competition in commerce”). The court reasoned that Wyndham’s actions fell under the plain meaning of unfairness. Specifically, Wyndham’s privacy policy indicated reliable cybersecurity—a potential selling point for customers. For the court, the unfairness of a practice was interrelated with its deceptiveness; therefore, Wyndham’s misrepresentation was at least as much of an issue as the company’s faulty data security.
Although the case will proceed in the district court, the Third Circuit panel’s decision presents an important takeaway: the FTC undoubtedly has the authority to hold companies accountable for unfair cybersecurity practices. Furthermore, the Third Circuit rejected Wyndham’s claim that it lacked fair notice of the specific cybersecurity practices required to avoid liability. This means that companies are officially on the hook when it comes to data security, and they may be liable even where no actual data breach occurs.
This outcome is not particularly surprising, but it provides businesses with a definitive answer as to the FTC’s role in cybersecurity matters. Combined with recent FTC testimony requesting broader investigative access to electronic communications, the Third Circuit panel’s decision seems like part of a long term effort towards bolstering regulatory authority to accommodate industry standards of technology. Unfortunately, as practitioners point out, the bigger muscles do not come with clearer guidelines for how companies can adopt acceptable security measures. For now, the most useful standards are the various outcomes of FTC cybersecurity actions (including the district court’s impending treatment of Wyndham’s data security failures). Until there is more systematic guidance, businesses can at least consider the practical tips outlined by the FTC to ensure their cybersecurity programs are up to scratch. But in the meantime, businesses should avoid deceptive or misleading statements in their privacy policies about the robustness of these programs.
Image source: searchhealthit.techtarget.com.
Washington Journal of Law, Technology & Arts 