Posted In: Insurance Recovery
Third Circuit Holds That FTC Has Authority to Regulate Cybersecurity
on November 11, 2015
In August of this year, the Third Circuit Court of Appeals issued its opinion in FTC v. Wyndham Worldwide Corp. stating that the Federal Trade Commission (“FTC”) has the authority to hold companies accountable for their use of unfair practices relating to cybersecurity threats. The standard determining “unfair practices” remains a bit unclear. However, companies have been put on notice of possible penalties instituted by the FTC in instances of security breach. FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 2015 U.S. App. LEXIS 14839 (3rd Cir. 2015).
Beginning in 2008, Wyndham experienced three separate cybersecurity breaches that extended into 2009. Hackers were able to access consumer financial information and, as a result of the breaches, Wyndham consumers experienced more than $10.6 million dollars in fraudulent charges. The FTC filed its suit against Wyndham in Federal District Court. The FTC claimed that Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, Complaint ¶ 24 (filed June 26, 2012).
As part of the alleged unfair practices, the FTC contended that Wyndham stored consumer data in a clear and readable text, allowed the use of easily guessed passwords, failed to use readily available security measures such as firewalls, failed to employ reasonable measures to detect and prevent unauthorized access to the computer network, and did not follow proper incident response procedures. Additionally, the FTC alleged that Wyndham’s actual safety measures and precautions fell well short of the privacy policy the company published on their website. FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, Complaint ¶ 24 (filed June 26, 2012).
After receiving the complaint, Wyndham filed a motion to dismiss, stating that the FTC has no authority to regulate cybersecurity. However, the District Court denied Wyndham’s motion. FTC v. Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 84913 (D.N.J. June 23, 2014). Thereafter, the Third Circuit granted an interlocutory appeal in order to resolve two issues. The first, and more important, issue was whether or not the FTC has authority to regulate cybersecurity under the unfairness prong in Section 5 of the FTC Act. That particular section of the FTC Act gives the FTC authority to regulate unfair methods of competition in commerce.
In holding that the FTC does have authority to regulate cybersecurity, the Third Circuit rejected Wyndham’s argument that subsequent Congressional legislation could be read to exclude cybersecurity from the FTC’s authority. Additionally, the Third Circuit rejected Wyndham’s argument that prior FTC statements on the issue disclaimed any authority they had over cybersecurity. FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 2015 U.S. App. LEXIS 14839, 22-28 (3rd Cir. 2015). The Third Circuit’s precedential opinion officially established the FTC’s authority to regulate cybersecurity and hold companies accountable for unfair practices.
This ruling helped to further the FTC’s goal of protecting consumer privacy data by holding companies accountable in some instances of cybersecurity breach. However, despite the Third Circuit’s opinion, there is no clear determination as to the standard establishing “unfair practices” relating to cybersecurity. Thus, this decision could potentially have serious, deleterious implications for companies across the country. Companies should be sure to review FTC guidelines and consent decrees in order to better understand the standard the FTC will be using moving forward.
At this point, companies should take advantage of simple cybersecurity measures that are at their disposal such as establishing firewall protection, instituting sophisticated password requirements, and establishing a breach response protocol. Additionally, companies would be wise to meticulously review the terms of their insurance policies. In some instances, policies can contain exclusions that prevent coverage if the insured has not established certain cybersecurity protective measures. This could potentially leave a company vulnerable to cyber breaches, heavy financial losses, actions by the FTC, and challenges in asserting insurance coverage.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.