In a long awaited ruling, in Federal Trade Commission v. Wyndham Worldwide Corp, the Third Circuit rejected Wyndham’s argument that the FTC has no authority to regulate its cybersecurity practices under the unfairness prong of the FTC Act and that businesses are not entitled to notice of the specific cybersecurity standards they must follow.
Unfair Cybersecurity Practices
In 2008 and 2009, hackers successfully accessed Wyndham’s computer systems and stole personal and financial information for over 619,000 consumers in three different attacks that led to over $10.6 million in fraudulent charges.
In its opinion, the Third Circuit first rejected Wyndham’s argument that the plain meaning of the word “unfair” imposes independent requirements that are not met. Instead, it held that Wyndham’s alleged conduct does not fall outside the plain meaning of the word unfair.
Notably, the Third Circuit found that “facts relevant to unfairness and deception claims frequently overlap” and that Wyndham’s privacy policy was directly relevant to whether Wyndham’s conduct was unfair at this state of the litigation.
It also dismissed Wyndham’s argument that it cannot treat its customers in an unfair manner when its own business was victimized by criminals because the FTC Act expressly contemplates the possibility that conduct can be unfair before an actual injury occurs. As such, the Third Circuit held that Wyndham’s alleged conduct fell within the unfair prong of the FTC Act.
Fair Notice
The Third Circuit also rejected Wyndham’s argument that it was entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by the FTC Act. The Third Circuit held that by Wyndham’s own admission, this case involved the ordinary judicial interpretation of a civil statue and therefore, a low level of statutory notice was required. Moreover, the FTC act is not so vague as to have no rule or standard by which Wyndham could comply.
Instead, the Third Circuit held that the key question is whether Wyndham had fair notice of the statute itself. That standard is satisfied if the company can reasonably foresee that the court can construe its conduct as falling within the meaning of the statute. While it may have been unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees, in this case, Wyndham did not argue that it wasn’t aware of the published FTC complaints or consent decrees. Instead, it only argued that it didn’t have specific notice of what the law requires.
This decision reflects the importance of working with sophisticated counsel with experience in privacy and security to develop robust cybersecurity practices and policies that are tailored to meet the needs of each business.