Federal Circuit Court Reinforces FTC’s Authority to Act in Data Breach Cases
By: Gary A. Kibel and Justin H. Lee
The Third U.S. Circuit Court of Appeals confirmed that the Federal Trade Commission (FTC) has the authority to bring enforcement actions against companies with deficient cybersecurity measures that fail to protect consumer data against hackers.
On three occasions in 2008 and 2009, hackers accessed Wyndham Worldwide Corporation’s computer systems, allegedly stealing the information of hundreds of thousands of customers, leading to over $10.6 million in fraudulent charges. The FTC sued, alleging that Wyndham had engaged in unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The U.S. District Court in New Jersey denied Wyndham’s motion to dismiss. Wyndham appealed, arguing that the FTC did not have the authority to regulate cybersecurity under Section 5(a) of the FTC Act (the Act), and that even if it did, Wyndham did not have fair notice regarding specific cybersecurity practices.
Third Circuit Decision
The Bottom Line
For the past decade, the FTC has been bringing actions under the Act against companies with deficient data security practices that failed to protect consumer data against hackers. With the Third Circuit’s decision affirming the FTC’s authority, one can expect an emboldened FTC to take even more action in this area.
All companies should:
- Re-assess their cybersecurity practices to ensure consistency with and accurate disclosure under all public statements, such as privacy policies
- Make sure adequate steps have been taken to protect consumer data from unauthorized access
Gary A. Kibel is a partner in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert. He may be reached at 212.468.4918 or firstname.lastname@example.org. Justin H. Lee is an associate in the Advertising, Marketing & Promotions Practice Group of the firm. He may be reached at 212.468.4894 and email@example.com.