What’s inside this issue? In the complimentary spring 2022 issue, you will find articles that address the… Continue Reading
Third Circuit Hears Oral Arguments on Challenge FTC’s Authority to Regulate Cybersecurity
POSTED MARCH 24, 2015
A special to USLAW NETWORK and USLAW DigiKnow
By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey
On March 3, 2015, a judicial panel from the U.S. Court of Appeals for the Third Circuit heard oral arguments regarding a challenge by Wyndham Worldwide Corp. (“Wyndham”) against the Federal Trade Commission’s (“FTC”) authority to regulate cybersecurity. In particular, Wyndham is seeking to have the court dismiss the FTC’s cybersecurity case against them, contending that Congress never gave the FTC the authority to regulate data privacy.
The case initially arose after a significant cyber-attack against the hotel company from 2008 – 2010, in which hackers stole data from hundreds of thousands of customer accounts, resulting in at least $10.6 million in fraudulent charges. Wyndham informed regulators and consumers about the attack and subsequently cooperated with an FTC investigation into the incident. Despite this cooperation, the FTC filed suit against Wyndham, alleging numerous failures and inadequacies in the company’s data security, including the failure to erect firewalls, use password protections and configure payment data securely. Moreover, the FTC is seeking an injunction requiring security improvements by Wyndham, and possible “other relief,” which could include financial restitution and refunds.
Previously, the FTC has brought cybersecurity actions relying on its authority under Section 5 of the Federal Trade Commission Act, 15 U.S.C §§ 41-58, as amended (the “Act”). Section 5 of the Act, the “unfairness prong,” provides the FTC with authority to prevent “unfair” and “deceptive” business practices in or affecting commerce. In its brief to Third Circuit, the FTC argues that inadequate cybersecurity “unreasonably exposes consumers to substantial injury they cannot reasonably avoid.” Furthermore, during oral argument, the FTC emphasized its belief that Congress clearly intended for the agency to broadly wield its “unfairness power” under the Act to encompass “every manner of consumer harm.”
However, during oral argument at least one of the circuit judges on the panel appeared to disagree with the FTC’s position stating that his reading of the relevant legislative history appeared to indicate that the FTC only has the ability to bring “routine fraud cases.” This appears to favor Wyndham, whose main argument has been that Congress never intended for the “unfairness prong” to reach practices that can only be considered negligent, but not necessarily fraudulent. Wyndham has also responded to the FTC’s contention of regulatory authority by arguing that a business cannot be deemed to have engaged in an “unfair” practice, whereas here, the business itself was the victim of criminal conduct by others.
Although the Third Circuit may be reluctant to endorse the commission’s long-running assertion that it has broad authority to regulate practices that it deems to be “unfair”, the district court below reached a different conclusion. In her opinion, Judge Salas strongly endorsed the FTC’s position holding: (1) Section 5 of the Act permitted the agency to regulate data security; (2) the agency had provided adequate notice of what constitutes reasonable data security standards; and (3) the FTC adequately pled a claim for either unfairness or deception under Section 5 of the Act.
Although most people assumed that the FTC would win on appeal, the recent argument before the Third Circuit has raised some doubt about the approach the FTC has been taking in its enforcement activities. Ultimately, this case may be setting the stage for the country’s highest court to weigh in.