The Emergence of Unfair Cybersecurity

Data Breach

Mass collection and storage of consumer information – including sensitive and personal information – is a fact of life in today’s marketplace. So are hacks and data breaches. In more than thirty states there are laws that require consumers to be notified of a data breach, and there are bills in both the Senate and the House that would result in a federal breach notification standard. However, these laws only take effect after information has been exposed.

But now, thanks to a recent ruling by The U.S. Court of Appeals for the Third Circuit, the Federal Trade Commission (“FTC”) has a way of helping prevent consumers’ information from being exposed in the first place: the power to declare cybersecurity acts or practices “unfair” under the Federal Trade Commission Act. Moreover, the FTC has the power to impose monetary penalties on, or require oversight or other remedies for, companies whose cybersecurity flunks FTC scrutiny.

In Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (3rd Cir. Aug. 25, 2015), hackers accessed the Wyndham hotel and resort chain’s computer systems three separate times in 2008 and 2009, successfully stealing consumers’ personal and financial information (including names, addresses, and payment card and account information). The cyber attacks resulted in fraudulent charges to consumers exceeding $10.6 million, as well as losses to consumers of time and money. Among other things, the FTC found that consumers bore unreimbursed fraudulent charges, lost access to funds, experienced increased costs, and were forced to spend time resolving fraud and mitigating subsequent harm.

Still, it appears that the FTC is ready to use its authority in situations where businesses fail to employ reasonable cybersecurity measures…

According to the FTC’s complaint, hackers were able to gain access due to the following deficiencies in Wyndham’s cybersecurity operations: Wyndham failed to encrypt sensitive information (Wyndham left information in a clear and readable form); used easily guessed passwords; failed to use readily available security features, such as firewalls; allowed access to its network from systems that were outdated or lacked important security updates; failed to impose reasonable restrictions on who could access information in its systems; failed to take measures to detect and prevent unauthorized access to its network; failed to monitor its network; and made untrue claims about how consumers’ information was being protected. In the FTC’s view, these acts (or omissions) and practices amounted to unfair cybersecurity practices.

Judge Thomas Ambro, writing for himself and Judges Scirica and Roth agreed, holding that the Federal Trade Commission Act (15 U.S.C. § 45(a)) (the “Act”) grants the FTC the authority to regulate cybersecurity practices under standards for unfairness. Wyndham had challenged this because Congress had, on prior occasions, enacted targeted cybersecurity protections, which the FTC supported, and which, Wyndham argued, precluded the “fairness” action here. The Third Circuit disagreed. The “[FTC] unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm [are] not inconsistent with the agency’s earlier position” supporting targeted legislation. Wyndham had also objected that it lacked fair notice that its cybersecurity practices fell short of the Act’s requirements. The Third Circuit rejected this because Wyndham “could reasonably foresee that a court could construe [Wyndham’s] conduct as falling within the meaning of the statute.”

The Wyndham case involved a motion to dismiss, so we may not have heard the end of this story yet. Still, it appears that the FTC is ready to use its authority in situations where businesses fail to employ reasonable cybersecurity measures and harm results to consumers, or substantial consumer injury is likely. Although critics argue that the rule is vague, there are guidelines that businesses can follow. For example, businesses can review the FTC’s guidance and past actions related to cybersecurity, and can visit the FTC’s Business Center website (where the FTC posts privacy and data-breach-related suggestions). Businesses can also follow trade group or industry-specific-recommended practices or standards.

Meanwhile, Wyndham’s message for businesses (and their counsel) is loud and clear: failing to take cybersecurity seriously creates a wide range of risks, for a company and its customers.