Recently, the U.S. Court of Appeals for the Third Circuit ruled that the Federal Trade Commission (the “FTC”) may pursue a lawsuit against Wyndham Worldwide Corporation, a hotel and time-share operator, for “unfair and deceptive” cybersecurity practices. In its complaint, the FTC alleged that Wyndham had “unreasonably and unnecessarily” exposed consumers’ personal data in more than 600,000 payment-card accounts, resulting in three data breaches in 2008 and 2009. According to the FTC, these data breaches resulted in approximately $10.6 million in fraudulent charges and constitute a violation of the “unfair and deceptive practices” prongs of Section 5 of the FTC Act (15 U.S.C. § 45). Section 5(a) of the FTC Act prohibits unfair or deceptive acts or practices (“UDAP”) in or affecting commerce, and this standard applies to any person or entity doing business.
Getting Hacked May Mean a UDAP?
According to the FTC complaint, Wyndham failed to follow its own data-security protocol by committing the following data-security errors:
- Storing customers’ payment-card information in clear, readable text;
- Using easily guessed passwords to access the company’s property management systems;
- Failing to use “readily available security measures” such as firewalls to limit access to the company’s systems, its corporate network, and the Internet;
- Maintaining permissive networking protocols, including nonupdated security programs and inadequate password protection;
- Failing to comply with its own policies and procedures, which claimed that the company safeguards customer data “using industry standard practices”; and
Allowing third-party vendors easy access to networks and servers.
Significance of the Third Circuit Ruling
Wyndham challenged the FTC’s authority to enforce cybersecurity practices, sought to dismiss the suit on grounds that its conduct does not meet the definition of “unfair” or “deceptive,” and that the FTC cybersecurity rules were too vague. The Third Circuit ruled, however, that the FTC does have authority over unfair acts or practices that cause or are likely to cause substantial injury to consumers, are not reasonably avoidable by consumers themselves, and are not outweighed by countervailing benefits to consumers or to competition. In addition, the court ruled that Wyndham had had adequate notice that its conduct might give rise to liability in light of the FTC’s publicly available data security guidance and earlier enforcement actions, and because Wyndham had been repeatedly hacked.
The Third Circuit’s ruling constitutes a significant victory for the FTC for two reasons. First, the ruling allows the FTC to regulate data security without being formally required to issue rules and regulations detailing data-security practices that are considered “reasonable” in the eyes of the agency. Second, the ruling gives the FTC the ability to use Section 5 of the FTC Act to pursue lax data-security practices based on ad hoc government interpretations of what is “unfair, deceptive or abusive” to a customer. Companies will be required to track FTC guidance, complaints, enforcement actions, and adjudications in order to get a sense of what things they need to do from a compliance standpoint.
Businesses should work with counsel to review their data-security protocols and operational policies and procedures to ensure compliance with the FTC’s guidance and enforcement efforts.