In a highly-anticipated decision, the U.S. Court of Appeals for the Third Circuit has ruled in FTC v. Wyndham Worldwide Corporation that the Federal Trade Commission (“FTC”) is authorized to pursue lawsuits against those who allegedly fail to provide adequate cybersecurity and thus unfairly expose their customers’ data to theft or illegal access. While the merits of the actual lawsuit have not yet been resolved, this is an important, precedent-setting decision. Unless it is overturned by the Supreme Court (which seems unlikely), it largely settles the question — without much surprise — about the FTC’s authority to regulate cybersecurity practices.
Here’s a brief summary of the August 24, 2015 opinion:
The Underlying Data Breaches. Hackers successfully breached the computer systems of hospitality company Wyndham Worldwide Corporation and its corporate affiliates three times in 2008 and 2009. They reportedly stole personal and financial information about more than 600,000 Wyndham guests, resulting in at least $10.6 million in fraudulent charges.
The FTC’s Lawsuit Against Wyndham. The FTC sued Wyndham and its affiliates in federal court in 2012, claiming in paragraph 24 of its Amended Complaint that Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The FTC alleged that in doing so, Wyndham violated §45(a)(1) of the Federal Trade Commission Act., 15 U.S.C. § 45, (“…unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”).
The FTC’s Specific Allegations Against Wyndham. In describing the alleged “unfair cybersecurity practices,” the FTC alleged that Wyndham:
- allowed Wyndham-branded hotels to store payment card information in clear readable text (i.e, not encrypted);
- allowed easily-guessed passwords to access the property management systems (e.g, the ID and password for remote access to a system developed by Micros Systems, Inc. was “micros”);
- failed to use readily available security measures, such as firewalls, to limit access between the hotels’ property management systems, corporate network and the Internet;
- failed to adequately restrict the access of third-party vendors to its network and the servers of Wyndham-branded hotels;
- failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations;
- failed to follow proper incident response procedures; despite the fact that the hackers used similar methods in each of the three cyber-attacks, Wyndham failed to monitor its network for malware used in the previous intrusions.
Wyndham’s Initial Response to the FTC Lawsuit. Wyndham asked the trial court to dismiss the FTC’s lawsuit on the grounds that (1) the FTC did not have authority to regulate cybersecurity under the FTC Act, and (2) Wyndham did not have fair notice that its cybersecurity practices violated the FTC Act because the FTC has not set forth specific cybersecurity guidelines.
How Have the Courts Ruled So Far? It is important to note that the merits of the FTC’s claims against Wyndham have not yet been resolved. The legal battle, so far, has concerned only whether the FTC has authority to bring the claims it has made, and whether Wyndham had fair notice that its cybersecurity practices might be in violation of the FTC Act. Both the trial court and appellate court have now ruled against Wyndham and in favor of the FTC on those two issues. This means that the FTC’s lawsuit can now proceed on the merits of the case (unless it settles out of court, like the vast majority of all civil cases).
Even though the ultimate outcome of the case is still to be determined, there is language in the 3rd Circuit’s opinion that does not bode well for Wyndham. For example:
What is the Reaction From the FTC?
The FTC released a statement following the 3rd Circuit’s decision, with a quote from its chair, Edith Ramirez:
[the] decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.
The FTC is now the primary cybersecurity regulator in the United States (at least in terms of consumer protection).
The FTC has long asserted that it held such power; the 3rd Circuit just made it official.
Take note when the FTC talks about cybersecurity — good, bad or ugly.
Companies should listen closely when the FTC addresses cybersecurity. The FTC has published guidance and criticisms of various good and bad cybersecurity practices for years. In 2007 it issued a guidebook, Protecting Personal Information: A Guide for Business. Earlier this summer, it updated that advice in another cybersecurity guidebook, Start With Security: A Guide for Business (Lessons Learned from FTC Cases), which includes 10 tips that it pulled from its 50+ cybersecurity law enforcement cases.
In addition, the FTC has a history of prosecuting companies that allegedly fail to provide adequate cybersecurity for consumer information. Even before the cyber-attacks on Wyndham in 2008 and 2009, the FTC had filed complaints and entered into consent decrees in administrative cases based on inadequate corporate cybersecurity. The FTC publishes those complaints and consent decrees on its website and provides notice of the proposed consent orders in the Federal Register. So there are publicly-available examples of real-world cybersecurity practices that the FTC found to be so inadequate as to require the filing of a complaint. Companies can review those complaint to learn from the mistakes of others.
Companies victimized by cyber-attacks may still face regulatory consequences.
Wyndham played the victim card – literally – in arguing that its cybersecurity practices could not be considered unfair, when the data breaches resulted from criminal cyber-attacks. The 3rd Circuit rejected that notion, observing that Wyndham “offer[ed] no reasoning or authority for this principle, and we can think of none ourselves.” The point is that if a company has implemented little or no cybersecurity protections, and then suffers a customer data breach due to a cyber-attack that exploited the lack of cybersecurity, the company can expect to face an uphill battle to avoid regulatory consequences (and other liability) for its role in the data breach.