Third Circuit to Wyndham (Part II): “Deceptive” is also “Unfair” in the Cybersecurity Context

September.10.2015

In Part I, we discussed the Third Circuit's finding that the "unfair" prong of the FTC Act does not require the agency to provide specific cybersecurity standards with "ascertainable certainty" to which companies must conform. In Part II, we discuss the interplay between the FTC's prohibition on "deceptive" acts and unfair cybersecurity practices.

The FTC has long applied its "deceptive acts" enforcement power to police representations, omissions or practices that are likely to mislead consumers acting reasonably under the circumstances,¹ and its "unfair acts" enforcement power to police acts that likely injure consumers, but which are not reasonably avoidable by the consumers themselves.² In the cybersecurity context, the Third Circuit's landmark decision in FTC v. Wyndham Worldwide Corporation illustrates the "frequent overlap" between deception and unfairness by explicitly linking alleged overstatements in privacy policies to the question of whether security practices are unfair. Accordingly, companies should exercise serious care in crafting representations in their privacy policies, terms of use, and other consumer-facing statements to validate that those statements closely conform to actual, internal business practices.

Background

As we reported last time, on three separate occasions in 2008 and 2009, hackers allegedly accessed and ex-filtrated payment card information belonging to over 619,000 of Wyndham's guests (reportedly causing some $10.6 million in fraudulent charges) from its corporate network and certain of its independently-owned hotels' property management systems.

The FTC brought a an enforcement action under the unfairness prong of Section 5 of the FTC Act, alleging that Wyndham's data security practices "unreasonably and unnecessarily" exposed consumers' personal data to unauthorized access and theft. (See our discussion in Part I). The FTC complaint also raised a deception claim against Wyndham for misleading statements in its online privacy policies going back to at least 2008. The statements at issue included representations by Wyndham that it protected customer information through "industry standard practices" and "commercially reasonable efforts," such as "128-bit encryption," "fire walls" and "other appropriate safeguards." According to the FTC, however, Wyndham failed to use encryption, firewalls, and a host of other allegedly commercially reasonable methods to secure consumer data. The District Court allowed the FTC's deception claim, together with its unfairness claim, to proceed past Wyndham's motion to dismiss.

Privacy Policy "Directly Relevant" to Unfair Cybersecurity Practices

Although the FTC's claims of deceptive practices were not directly considered on appeal, Wyndham's allegedly deceptive privacy policy statements emerged as a critical factor in affirming the District Court's denial of the company's attempt to dismiss the unfairness claims.³

First, the Third Circuit turned Wyndham's own argument against it when the company asserted that conduct is only "unfair" if it is "not equitable" or "marked by injustice, partiality, or deception." The Court roundly rejected Wyndham's position, noting that a company does not act equitably when it "publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business."

Second, the Court observed that the FTC Act provides for a cost-benefit framework where unfair practices consist of those (i) that are likely to cause substantial injury, (ii) that are not reasonably avoidable by consumers themselves, and (iii) not outweighed by countervailing benefits. It then credited the FTC's argument that "consumers could not reasonably avoid injury by booking with another hotel chain because Wyndham had published a misleading privacy policy that overstated its cybersecurity." Finding it plausible – at the motion to dismiss at this stage in the litigation – that consumers were misled by Wyndham's privacy policy, the Third Circuit deemed the policy "directly relevant" to whether the company's conduct was unfair.

Conclusion

There is nothing new about the FTC use of Section 5 to police misrepresentations or omissions in consumer-facing statements. Deception claims are standard fare in the 50+ cybersecurity consent decrees that the FTC has obtained to date, as well as in hundreds of other FTC consumer protection actions, most notably in the advertising and marketing context. A recent example is the FTC's motion for contempt filed against LifeLock for failing to comply with its 2010 consent decree with the FTC and 35 State Attorneys General. Among the alleged violations were misrepresentations that the company protected consumers' identity 24/7/365 by providing alerts "as soon as" it received indications of problems, and a failure to have maintained a comprehensive information security program to protect customers' personal information.

The Third Circuit's opinion is a clear message that companies should expect that their consumer-facing statements (e.g., privacy policies, terms of use, advertisements, etc.) will be tested for both accuracy and fairness. Companies should be on alert to immediately consider the following:

What (and how much) should you publicly state about security? Decide whether detailed statements about your plans, protocols, processes and tools are necessary and generate business value. Avoid overstating your security practices, or implying that a high level of security is applied across the board, when in fact it is applied only to certain portions of the data set. Be thoughtful about the fine line between transparency that informs customers on the ways in which you collect, use, share, store and transfer data, and vague language or catch phrases, such as "industry standard security," "bank-level encryption" or "we do everything we can do to secure your data" that can land a company in hot water.
How (and how often) do you test your public statements? All consumer-facing representations should be audited no less than twice per year. Reviews should be accelerated as part of privacy-by-design processes any time new products or services will be deployed. And always include the IT/InfoSec team in reviewing and approving all security-related statements together with the privacy and legal team.
Are reasonable security disclaimers appropriate? Given the constantly shifting cyber threat landscape, virtually any assurance regarding security is susceptible to scrutiny. This is why many companies include blanket disclaimers informing consumers that security measures may change, be unavailable from time to time, or even circumvented by sophisticated actors (e.g., "We cannot guarantee 100% security, and no security is fail proof"). Competent judgment is required to strike a thoughtful balance: any legal benefits that disclaimer language may provide should be weighed against the PR/business impact of being viewed as shifting risk to the consumer.
________________________________________
[1] See FTC Policy Statement on Deception, appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984).
[2] See 15 U.S.C. § 45(n).
[3] As support for the proposition that it could not completely "disentangle" the FTC's deception and unfairness theories, the Third Circuit cited to a string of administrative decisions in which the FTC has "described deception as a subset of unfairness."

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.