Federal Circuit Court Reinforces FTC’s Authority to Act in Data Breach Cases

By: Gary A. Kibel and Justin H. Lee

The Third U.S. Circuit Court of Appeals confirmed that the Federal Trade Commission (FTC) has the authority to bring enforcement actions against companies with deficient cybersecurity measures that fail to protect consumer data against hackers.

Background

On three occasions in 2008 and 2009, hackers accessed Wyndham Worldwide Corporation’s computer systems, allegedly stealing the information of hundreds of thousands of customers, leading to over $10.6 million in fraudulent charges. The FTC sued, alleging that Wyndham had engaged in unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The U.S. District Court in New Jersey denied Wyndham’s motion to dismiss. Wyndham appealed, arguing that the FTC did not have the authority to regulate cybersecurity under Section 5(a) of the FTC Act (the Act), and that even if it did, Wyndham did not have fair notice regarding specific cybersecurity practices.

Third Circuit Decision

Affirming the District Court decision, the Third Circuit rejected Wyndham’s arguments and reinforced the FTC’s authority to pursue data security cases through its power to prohibit “unfair or deceptive acts or practices in or affecting commerce” under the Act. Further, the Third Circuit found that Wyndham had not acted equitably by failing to uphold assurances made about its data security practices in its privacy policy by “investing inadequate resources in cybersecurity”, exposing its unsuspecting customers to “substantial financial injury,” and retaining the profits of their business. The Third Circuit further found that Wyndham did have fair notice of the meaning of the Act, and that the FTC was not required to provide “with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.”

The Bottom Line

For the past decade, the FTC has been bringing actions under the Act against companies with deficient data security practices that failed to protect consumer data against hackers. With the Third Circuit’s decision affirming the FTC’s authority, one can expect an emboldened FTC to take even more action in this area.

All companies should:

• Re-assess their cybersecurity practices to ensure consistency with and accurate disclosure under all public statements, such as privacy policies
• Make sure adequate steps have been taken to protect consumer data from unauthorized access

          

Gary A. Kibel is a partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert. He may be reached at 212.468.4918 or gkibel@dglaw.com. Justin H. Lee is an associate in the Advertising, Marketing & Promotions Practice Group of the firm. He may be reached at 212.468.4894 and jlee@dglaw.com.