On Monday, the Third Circuit issued a highly anticipated opinion affirming the Federal Trade Commission's authority to regulate "unfair" cybersecurity practices under Section 5 of the FTC Act. In allowing the data breach action against Wyndham Worldwide Corporation to proceed, the Court held that Wyndham was "not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform." This ruling confirms what many practitioners already know: companies must be particularly attentive to designing and updating policies and programs that not only consider the status quo patchwork of cybersecurity rules and regulations, but that also adapt to the myriad regulatory consent decrees, frameworks, and guidelines that outline the contours of reasonableness in the context of cybersecurity.
In 2008 and 2009, on three separate occasions, hackers allegedly accessed and ex-filtrated data from Wyndham Worldwide's corporate network and some of its independently owned hotels' property management systems that store hotel guests' personal and payment information. Through a combination of attack vectors, tools and methodologies (including brute force password attacks, memory-scraping malware, and administrator account compromises), the hackers allegedly obtained, among other things, payment card information belonging to over 619,000 consumers – reportedly resulting in at least $10.6 million in fraudulent charges and the export of hundreds of thousands of payment card details to a domain registered in Russia.
After investigating these data breaches, the FTC brought an enforcement action in 2012, alleging that Wyndham had engaged in "unfair" cybersecurity practices in violation of Section 5. Without referring to any specific cybersecurity requirements with which the FTC expected Wyndham to comply, the FTC alleged that Wyndham "unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." Specifically, the FTC highlighted a laundry list of deficient data security practices including the storage of payment card information in clear text, use of weak and default passwords across its network, missing or mis-configured firewalls to limit access between systems and the Internet, failure to "adequately restrict" third party vendors from accessing the corporate network and hotel servers, and failure to follow "proper incident response procedures," particularly in the wake of successive cyberattacks.
Section 5 of the FTC Act, from which the FTC derives its consumer protection authority, prohibits "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a). The Act further provides a cost-benefit analysis framework, defining "unfair practices" as those that " cause or are likely to cause substantial injury to consumers  which are not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition."
Affirming the FTC's power to regulate unfair cybersecurity practices, the Third Circuit rejected Wyndham's arguments that it was entitled to "ascertainable certainty" of the FTC's interpretation of what specific cybersecurity practices are required by Section 5. Rather, the Court held that Wyndham was only due "fair notice" that its conduct could reasonably fail Section 5's required cost-benefit analysis, noting also that the FTC had publicly issued security guidebooks, filed numerous complaints and entered into consent decrees in administrative cases and posted such materials on its website and in the Federal Register. Moreover, it was particularly relevant that Wyndham "was hacked not one or two, but three, times. And at least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis."
There are three key lessons learned from the Third Circuit's ruling relating to cybersecurity preparedness.
Stay tuned for Part 2 in our series for analysis of how Section 5's prohibition on "deceptive" practices are intertwined and implicated in cybersecurity incidents and data breaches.