Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week, when the Third Circuit affirmed Judge Esther Salas’ refusal to dismiss the Federal Trade Commission’s lawsuit against Wyndham that alleged unfair and deceptive trade practices under 15 U.S.C. § 45(a).
As the Third Circuit noted, the FTC has brought administrative actions under § 45(a) against firms with allegedly deficient cybersecurity since 2005, most of which have ended in settlement. Wyndham, whose computer systems were hacked on three occasions in 2008 and 2009, did not settle, but rather advanced the argument that the FTC has consistently overstepped its statutory authority in using the FTC Act’s prohibition on “unfair or deceptive acts or practices in or affecting commerce” to sue firms whose cybersecurity leaves consumers vulnerable to hackers.
Across forty-seven pages, the Third Circuit vigorously disagreed with Wyndham, and embraced a broad conception of the FTC’s authority to regulate. The legal arguments are numerous and wide-ranging, but among them, Wyndham’s due process claim merits discussion as a reminder of the need to keep up to date with developments in cybersecurity and the FTC’s enforcement activities.
Wyndham argued that punishment pursuant to the FTC Act was unconstitutional because Wyndham lacked notice of what specific cybersecurity practices were needed to comply with the Act. The Third Circuit noted that the standard for what constitutes fair notice is “especially lax for civil statutes that regulate economic activities”; in such a circumstance, to be impermissible the relevant regulatory standard must be “so vague as to be no rule or standard at all.” CMR D.N. Corp. v. City of Philadelphia, 703 F.2d 612, 631-32 (3d Cir. 2013). The Court then pointed to 15 U.S.C. § 45(n), which empowers the FTC to declare unfair a practice that “causes or is likely to cause substantial injury to consumers which is not unreasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The Third Circuit acknowledged that § 45(n)’s balancing test is hardly a firm guide for companies wondering whether their conduct comports with the Act, but neither is it unconstitutionally vague: “under a due process analysis a company is not entitled to such precision as would eliminate all close calls […] Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Where should companies look for guidance, then? The Third Circuit’s answer: to the FTC’s “expert views about the characteristics of a sound data security plan,” in particular, its 2007 guidebook, Protecting Personal Information: A Guide for Business, as well as its ongoing complaints in administrative cases raising unfairness claims based on inadequate cybersecurity.
The Guide is, of course, only the tip of the FTC-guidance iceberg, which also features an informational website and regularly-updated blog. But even voluminous guidance materials cannot answer every question nor provide a checklist of measures that will succeed every time. (In cybersecurity, after all, the latter does not exist.) This is why companies need an individualized approach to cybersecurity, taking into account both advances in technology and trends in enforcement.