{"id":301,"date":"2015-08-24T16:51:28","date_gmt":"2015-08-24T20:51:28","guid":{"rendered":"http:\/\/blogs.duanemorris.com\/techlaw\/?p=301"},"modified":"2015-08-24T16:51:28","modified_gmt":"2015-08-24T20:51:28","slug":"the-third-circuit-confirms-that-the-ftc-has-authority-to-regulate-cybersecurity-practices-under-the-unfairness-prong-of-the-ftc-act-and-does-not-have-provide-specific-cybersecurity-standards-for-busin","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/techlaw\/2015\/08\/24\/the-third-circuit-confirms-that-the-ftc-has-authority-to-regulate-cybersecurity-practices-under-the-unfairness-prong-of-the-ftc-act-and-does-not-have-provide-specific-cybersecurity-standards-for-busin\/","title":{"rendered":"The Third Circuit Confirms That the FTC Has Authority to Regulate Cybersecurity Practices Under The Unfairness Prong of the FTC Act and Does Not Have Provide Specific Cybersecurity Standards for Businesses to Follow"},"content":{"rendered":"<p>In a long awaited ruling, in <em>Federal Trade Commission v. Wyndham Worldwide Corp<\/em>, the Third Circuit rejected Wyndham\u2019s argument that the FTC has no authority to regulate its cybersecurity practices under the unfairness prong of the FTC Act and that businesses are not entitled to notice of the specific cybersecurity standards they must follow.<\/p>\n<p><u>Unfair Cybersecurity Practices<\/u><\/p>\n<p>In 2008 and 2009, hackers successfully accessed Wyndham\u2019s computer systems and stole personal and financial information for over 619,000 consumers in three different attacks that led to over $10.6 million in fraudulent charges.<\/p>\n<p>In its opinion, the Third Circuit first rejected Wyndham\u2019s argument that the plain meaning of the word \u201cunfair\u201d imposes independent requirements that are not met. Instead, it held that Wyndham\u2019s alleged conduct does not fall outside the plain meaning of the word unfair.<\/p>\n<p>Notably, the Third Circuit found that \u201cfacts relevant to unfairness and deception claims frequently overlap\u201d and that Wyndham\u2019s privacy policy was directly relevant to whether Wyndham\u2019s conduct was unfair at this state of the litigation.<\/p>\n<p>It also dismissed Wyndham\u2019s argument that it cannot treat its customers in an unfair manner when its own business was victimized by criminals because the FTC Act expressly contemplates the possibility that conduct can be unfair before an actual injury occurs. As such, the Third Circuit held that Wyndham\u2019s alleged conduct fell within the unfair prong of the FTC Act.<\/p>\n<p><u>Fair Notice<\/u><\/p>\n<p>The Third Circuit also rejected Wyndham\u2019s argument that it was entitled to know with ascertainable certainty the FTC\u2019s interpretation of what cybersecurity practices are required by the FTC Act. The Third Circuit held that by Wyndham\u2019s own admission, this case involved the ordinary judicial interpretation of a civil statue and therefore, a low level of statutory notice was required. Moreover, the FTC act is not so vague as to have no rule or standard by which Wyndham could comply.<\/p>\n<p>Instead, the Third Circuit held that the key question is whether Wyndham had fair notice of the statute itself. That standard is satisfied if the company can reasonably foresee that the court can construe its conduct as falling within the meaning of the statute. While it may have been unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees, in this case, Wyndham did not argue that it wasn\u2019t aware of the published FTC complaints or consent decrees. Instead, it only argued that it didn\u2019t have specific notice of what the law requires.<\/p>\n<p>This decision reflects the importance of working with sophisticated counsel with experience in privacy and security to develop robust cybersecurity practices and policies that are tailored to meet the needs of each business.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a long awaited ruling, in Federal Trade Commission v. Wyndham Worldwide Corp, the Third Circuit rejected Wyndham\u2019s argument that the FTC has no authority to regulate its cybersecurity practices under the unfairness prong of the FTC Act and that businesses are not entitled to notice of the specific cybersecurity standards they must follow. Unfair &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blogs.duanemorris.com\/techlaw\/2015\/08\/24\/the-third-circuit-confirms-that-the-ftc-has-authority-to-regulate-cybersecurity-practices-under-the-unfairness-prong-of-the-ftc-act-and-does-not-have-provide-specific-cybersecurity-standards-for-busin\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;The Third Circuit Confirms That the FTC Has Authority to Regulate Cybersecurity Practices Under The Unfairness Prong of the FTC Act and Does Not Have Provide Specific Cybersecurity Standards for Businesses to Follow&#8221;<\/span><\/a><\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"ppma_author":[874],"class_list":["post-301","post","type-post","status-publish","format-standard","hentry","category-infotechtelecom"],"authors":[{"term_id":874,"user_id":26,"is_guest":0,"slug":"jeskie","display_name":"Sandra A. Jeskie","avatar_url":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2018\/01\/jeskiesandra-125x150.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/comments?post=301"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/301\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/media?parent=301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/categories?post=301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/tags?post=301"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/ppma_author?post=301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}