In Part I, we discussed the Third Circuit's finding that the "unfair" prong of the FTC Act does not require the agency to provide specific cybersecurity standards with "ascertainable certainty" to which companies must conform. In Part II, we discuss the interplay between the FTC's prohibition on "deceptive" acts and unfair cybersecurity practices.
As we reported last time, on three separate occasions in 2008 and 2009, hackers allegedly accessed and ex-filtrated payment card information belonging to over 619,000 of Wyndham's guests (reportedly causing some $10.6 million in fraudulent charges) from its corporate network and certain of its independently-owned hotels' property management systems.
The FTC brought a an enforcement action under the unfairness prong of Section 5 of the FTC Act, alleging that Wyndham's data security practices "unreasonably and unnecessarily" exposed consumers' personal data to unauthorized access and theft. (See our discussion in Part I). The FTC complaint also raised a deception claim against Wyndham for misleading statements in its online privacy policies going back to at least 2008. The statements at issue included representations by Wyndham that it protected customer information through "industry standard practices" and "commercially reasonable efforts," such as "128-bit encryption," "fire walls" and "other appropriate safeguards." According to the FTC, however, Wyndham failed to use encryption, firewalls, and a host of other allegedly commercially reasonable methods to secure consumer data. The District Court allowed the FTC's deception claim, together with its unfairness claim, to proceed past Wyndham's motion to dismiss.
There is nothing new about the FTC use of Section 5 to police misrepresentations or omissions in consumer-facing statements. Deception claims are standard fare in the 50+ cybersecurity consent decrees that the FTC has obtained to date, as well as in hundreds of other FTC consumer protection actions, most notably in the advertising and marketing context. A recent example is the FTC's motion for contempt filed against LifeLock for failing to comply with its 2010 consent decree with the FTC and 35 State Attorneys General. Among the alleged violations were misrepresentations that the company protected consumers' identity 24/7/365 by providing alerts "as soon as" it received indications of problems, and a failure to have maintained a comprehensive information security program to protect customers' personal information.