Third Circuit Affirms FTC’s Authority Over Data Security: Decision Underscores Need for Cyber Policies and Procedures


By: David Cole

This week, the U.S. Court of Appeals for the Third Circuit released its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corporation, unanimously upholding the FTC’s authority to regulate businesses’ data security practices under Section 5 of the Federal Trade Commission Act (FTC Act).  As a result, businesses can expect increased enforcement by the FTC and greater scrutiny of their data security practices.

Section 5 of the FTC Act declares it unlawful for a business to engage in any “unfair or deceptive acts or practices in or affecting commerce,” and it empowers the FTC to enforce this provision through administrative actions and civil actions in federal court.  In recent years, the FTC has taken the position that businesses with inadequate data security practices, and businesses that do not adhere to their published data security and privacy policies, engage  in unfair and deceptive practices.  This has caught by surprise many who have not thought of inadequate data security as a potential unfair or deceptive practice.

The Third Circuit’s decision originated from a lawsuit that the FTC filed in federal court alleging that Wyndham engaged in unfair and deceptive practices surrounding three data breaches that occurred in 2008 and 2009.  It alleged that Wyndham’s data security was insufficient in a number of ways, including that:

  • payment card information was stored in clear readable text (instead of encrypted);
  • simple, easily guessed passwords were used (instead of complex passwords and multi-factor authentication);
  • readily available security measures were not used to limit access between systems (like firewalls);
  • adequate information policies and procedures were not implemented;
  • measures to detect and prevent unauthorized access were not used (like intrusion detection systems); and
  • proper incident response procedures were not followed.

Wyndham moved to dismiss the lawsuit, arguing that the FTC is not empowered to regulate businesses’ data security practices under section 5 of the FTC Act.  Alternatively, it argued that the FTC had not given “fair notice” of the data security standards it would enforce, and which businesses needed to satisfy in order to comply with the FTC Act.  The district court denied Wyndham’s motion to dismiss, but allowed it to appeal to the Third Circuit.  Many had hoped that the Third Circuit would reign in the FTC’s efforts to extend itself into the field of data security, but instead got the opposite result.

The Third Circuit unanimously agreed with the FTC and rejected Wyndham’s arguments, holding that the FTC does have authority under the FTC Act’s “unfairness” prong to bring enforcement actions against businesses for having inadequate data security.  The court cited language in the FTC Act, which authorizes the FTC to declare an act or practice unfair, in violation of section 5, if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  In Wyndham’s case, the court decided that consumers could not have reasonably avoided their injury because Wyndham’s published privacy policy misled them by suggesting that it took steps to safeguard confidential information, when, in fact, it actually did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

The Third Circuit also rejected Wyndham’s fair notice argument, stating that it was not entitled to know with “ascertainable certainty” what cybersecurity standards the FTC would require.  Instead, it held that the requirement of fair notice is met so long as a business can “reasonably foresee that a court could construe [its] conduct as falling within the meaning of the statute.”  Since Wyndham allegedly lacked “any” firewalls, encryption for certain customer files, and password requirements, among other things, the court held that Wyndham should have been on notice of the possibility that a court could find that its data security practices were unreasonable.

It is not yet known whether Wyndham will seek further review of the decision.  In the meantime, the Third Circuit’s decision establishes precedent that may be followed by other courts and, unless and until there is further appellate review or a challenge in another circuit that is decided against the FTC, it seems that the question of the FTC’s authority to regulate the data security field is now established.  As a result, businesses can expect more enforcement by the FTC and greater scrutiny of their data security practice.

This underscores the importance that businesses must place on their data security practices.  As we have written before, it is critical that businesses implement policies regarding their data security practices and their procedures for responding to a data breach if one occurs.  To help our clients accomplish this, FMG has developed a Data Breach Toolkit, which consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.  To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys.

FMG Data Breach Response Team

To best service our clients, you have 24/7 around-the-clock access to our Data Breach Response Team. Our attorneys provide you with a single point of contact for an immediate determination of the appropriate response to the breach and, where warranted, they will dispatch appropriate support service providers to your location to begin any investigation or resolution work that is needed. The lead members of our Data Breach Response Team are:

David Cole – Cyber Team Chair
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]John Goselin (Atlanta office)
(770) 818-1423 (o)
(678) 478-3570 (c)
[email protected]
Jonathan Romvary (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]
Behnam Salehi (Philadelphia office)
(267) 758-6013 (o)
(949) 294-9230 (c)
[email protected]
Kacie Manisco (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]