The Third Circuit Confirms That the FTC Has Authority to Regulate Cybersecurity Practices Under The Unfairness Prong of the FTC Act and Does Not Have Provide Specific Cybersecurity Standards for Businesses to Follow

In a long awaited ruling, in Federal Trade Commission v. Wyndham Worldwide Corp, the Third Circuit rejected Wyndham’s argument that the FTC has no authority to regulate its cybersecurity practices under the unfairness prong of the FTC Act and that businesses are not entitled to notice of the specific cybersecurity standards they must follow.

Unfair Cybersecurity Practices

In 2008 and 2009, hackers successfully accessed Wyndham’s computer systems and stole personal and financial information for over 619,000 consumers in three different attacks that led to over $10.6 million in fraudulent charges.

In its opinion, the Third Circuit first rejected Wyndham’s argument that the plain meaning of the word “unfair” imposes independent requirements that are not met. Instead, it held that Wyndham’s alleged conduct does not fall outside the plain meaning of the word unfair.

Notably, the Third Circuit found that “facts relevant to unfairness and deception claims frequently overlap” and that Wyndham’s privacy policy was directly relevant to whether Wyndham’s conduct was unfair at this state of the litigation.

It also dismissed Wyndham’s argument that it cannot treat its customers in an unfair manner when its own business was victimized by criminals because the FTC Act expressly contemplates the possibility that conduct can be unfair before an actual injury occurs. As such, the Third Circuit held that Wyndham’s alleged conduct fell within the unfair prong of the FTC Act.

Fair Notice

The Third Circuit also rejected Wyndham’s argument that it was entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by the FTC Act. The Third Circuit held that by Wyndham’s own admission, this case involved the ordinary judicial interpretation of a civil statue and therefore, a low level of statutory notice was required. Moreover, the FTC act is not so vague as to have no rule or standard by which Wyndham could comply.

Instead, the Third Circuit held that the key question is whether Wyndham had fair notice of the statute itself. That standard is satisfied if the company can reasonably foresee that the court can construe its conduct as falling within the meaning of the statute. While it may have been unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees, in this case, Wyndham did not argue that it wasn’t aware of the published FTC complaints or consent decrees. Instead, it only argued that it didn’t have specific notice of what the law requires.

This decision reflects the importance of working with sophisticated counsel with experience in privacy and security to develop robust cybersecurity practices and policies that are tailored to meet the needs of each business.

Student’s Internship Canceled After Exposing Facebook Privacy Issue

Many college students likely would covet an internship at Facebook. One Harvard University student landed such an internship. However, he says that the internship offer to him was rescinded by Facebook because he reportedly exposed privacy flaws in Facebook’s mobile messenger. Is that correct or not, and what lesson has been learned?

Harvard student, Aran Khanna, launched a browser application from his dorm room. The app revealed that Facebook Messenger users were able to precisely pinpoint the geographic locations of people with whom they were communicating, as reported by The Guardian. Continue reading “Student’s Internship Canceled After Exposing Facebook Privacy Issue”

Cyberwar Happening Here and Now?

Conflict has unfortunately been part of the human experience for thousands of years. In prehistoric times, rocks, sticks, and bones were some of the weapons of choice. Over time, humans became more sophisticated, utilizing knives, swords, bows and arrows, and eventually guns and cannons. Recent developments include nuclear threats and drone strikes.

There has been concern, rightly, that the Internet might provide a further means for waging war or dismantling the means of waging war by others. For example, a few years ago, Stuxnet, a computer worm, reportedly was launched by a U.S. and Israeli intelligence operation to attack and cause the tearing apart of programmable logic controllers of certain Iranian centrifuges that were designed for potential nuclear purposes. Continue reading “Cyberwar Happening Here and Now?”

Twitter Faces Copyright Infringement Allegations

Social media sites host many thousands of photos posted by people on a daily basis. An obvious issue arises as to whether and when these sites might be liable for copyright infringement with respect to any of the posted photos.

A recent case is worthy of consideration.

Kristen Pierson, a professional photographer who has won awards for her work, has filed legal action in California against Twitter, according to Wired, with respect to a copyrighted photo that was shared on Twitter.  Continue reading “Twitter Faces Copyright Infringement Allegations”

Adultery Gone Awry on the Internet

The Ashley Madison site declares on its home page that “Life is short. Have an affair.” The home page goes on to state that “Ashley Madison is the world’s leading married dating service for discreet encounters.” The site also boasts “over 38,050,000 anonymous members!” But how anonymous are those members, really?

People engage in all sorts of communications and transactions on the Internet. Generally, they like to believe that their personal information is handled confidentially. For example, if someone buys an item from Amazon, she hopes that her name, credit card information, and address will not be publicly disseminated. Continue reading “Adultery Gone Awry on the Internet”

How Much Immunity Is Provided by CDA Section 230?

Internet service providers (ISPs) like to believe that in Section 230 of the Communications Decency Act (CDA) Congress afforded them broad immunity from any liability potentially caused by third-party content posted on ISP sites. But how secure is that immunity? Let’s explore a few important cases to explore the answer to that question.

Zeran v. America Online, 129 F.3d 327 (4th Cir. 1997), was an early case to address the scope of immunity provided to ISPs by CDA Section 230. In that case, an anonymous poster urged the public to call Kenneth Zeran to buy goods displaying disgusting expressions of celebration of the 1995 Oklahoma City federal building bombing. Continue reading “How Much Immunity Is Provided by CDA Section 230?”

Selfies Going Business Mainstream?

Selfies — are you a fan or a hater? Either way, selfies may soon not only be personal, but they may also have a business function. Stay with me here.

Yes, there are people who take photos of themselves on their smartphones on practically a constant basis so that we can see them in every life activity imaginable on social media or mobile-friendly blogs. And yes, this can be annoying, even if some of these photos might actually be interesting if we were not otherwise inundated by mundane selfie photos. Continue reading “Selfies Going Business Mainstream?”

Mitigating Cyber Risks

Let’s face it, the Internet can be a scary place from a risk standpoint. Indeed, it seems that on practically a daily basis we hear about a massive security breach and the theft of sensitive and personal data.

So, what are companies to do to mitigate cyber risks? Of course, they should employ the best in class technologies that are designed to block cyber intrusions and attacks. They also should implement and enforce cyber security company-wide policies. Continue reading “Mitigating Cyber Risks”

Big Everything

We keep hearing about what is going to be “the next big thing.” That concept seems ever-illusive, perhaps because there has been a constant state of “bigness,” if I may call it that, since long before humankind developed the notion of time.

I was fortunate enough last week to participate in the immersive, five-day Big History Institute at Dominican University of California. Scholars from around the country convened to contemplate, share and discuss big history issues, past, present and even future.  Continue reading “Big Everything”

Facebook A Major Instant-Messaging Player

We all know that Facebook is the social networking beast – with approximately 1.4 billion users across the globe. Who doesn’t have a Facebook page? But if that were not enough, Facebook also is becoming an instant-messaging major player.

Indeed, according to CNET, Facebook Messenger already has as many as 700 million monthly users, as reported by CEO Mark Zuckerberg at a recent company annual meeting. Continue reading “Facebook A Major Instant-Messaging Player”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress