Case: FTC v. Wyndham Worldwide Corp.
Issue: Whether the Federal Trade Commission (FTC) has authority to bring an enforcement action against Wyndham Worldwide Corp. (Wyndham) over inadequate cybersecurity under the unfairness prong of Section 5 of the FTC Act.
Case Summary: The Third Circuit ruled that the FTC has authority under the unfairness prong of Section 5 of the FTC Act to bring an enforcement action against Wyndham for failure to provide “reasonable” cybersecurity.
The FTC alleged that from 2008 to early 2010, hackers breached Wyndham’s corporate computer system on three separate occasions and stole credit and debit card numbers of approximately 619,000 consumers. In June 2012, the FTC brought an enforcement action asserting that Wyndham violated the unfairness prong of Section 5 of the FTC Act by failing to provide “reasonable” cybersecurity for the personal information of its customers, which resulted in $10.6 million in losses due to fraud.
In April 2014, Wyndham filed a motion to dismiss asserting that the FTC does not have authority to “impose general data-security standards” on business in all industries in the absence of specific legislation. The New Jersey district court denied the motion but certified its decision for appeal to the Third Circuit.
The Third Circuit affirmed the district court’s ruling that the FTC has authority to regulate cybersecurity under Section 5 of the FTC Act. First, the Court rejected Wyndham’s argument that the FTC failed to prove “unfair” practices within its plain meaning, concluding that “standard doesn’t require unscrupulous or unethical behavior if there is injury to consumers, nor must the conduct be not equitable.” Second, the Court rejected Wyndham’s argument that Congress gave the FTC specific data security enforcement powers with the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. In the court’s view, the legislation does not conflict with the FTC Act, and the legislation was not “inexplicable” if the FTC had authority to regulate cybersecurity under Section 5. Finally, the Court rejected Wyndham’s argument that it was not fairly noticed over its cybersecurity practices on the grounds that Wyndham “was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required.”
Bottom Line: The Third Circuit’s decision will strengthen the FTC’s exercise of authority over issues of cybersecurity.