Third Cir. Upholds FTC's Data Security Authority

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald Aplin

Aug. 24 — In one of the most anticipated privacy and date security rulings in years, the Federal Trade Commission's authority to bring data security enforcement action under the unfairness prong of Section 5 of the FTC Act against hotelier Wyndham Hotels & Resorts LLC was affirmed Aug. 24 by the U.S. Court of Appeals for the Third Circuit.

The case was a must-win for the FTC's continued leadership as the country's most active data security regulator. The court held that Wyndham wasn't “entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required.”

Writing for the unanimous panel, Judge Thomas L. Ambro also held that the FTC's consent decrees and court complaints based on the allegation that other companies' data security practices were unfair to consumers gave Wyndham “fair notice” of what the regulator expected.

FTC Chairwoman Edith Ramirez said in an Aug. 24 statement that the ruling “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Linn F. Freedman, a partner at Robinson & Cole LLP in Providence, R.I., told Bloomberg BNA the Third Circuit “slammed Wyndham by finding all of its arguments ‘unpersuasive' ” and that “is a clear victory for the FTC's jurisdiction and enforcement over data security practices.”

Peter Karanjia, a partner and co-chair of the firm's Appellate Practice at Davis Wright Tremaine LLP, in Washington, agreed that the ruling is a “pretty significant win for the FTC.” However, companies are “unlikely” to glean meaningful insights about what they must provide in terms of security, he told Bloomberg BNA.

Almost all companies have agreed to settle the FTC's data security enforcement actions. But Wyndham pushed back. The company argued that by using the unfairness prong of Section 5 of the FTC Act, 15 U.S.C. § 45, the commission exceeded its statutory authority to regulate data security. It further argued that because the FTC didn't provide specific rules on data security standards for companies, it couldn't expect them to know what constitutes “reasonable” data security standards.

The appeals court said Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.” The “company can only claim that it lacked fair notice of the meaning of the statute itself—a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case,” the court said.

Hacks Prompted FTC Action

Wyndham faced three separate hacks over a two-year period, which reportedly compromised more than 600,000 payment cards and led to more than $10 million in losses. In 2012, the FTC initiated a data security enforcement action against Wyndham in federal court, alleging it engaged in deceptive and unfair practices.

In April 2014, the U.S. District Court for the District of New Jersey denied a motion to dismiss by Wyndham, ruling that the FTC has authority under the unfairness prong of Section 5 of the FTC Act to bring a data security enforcement action against the company and doesn't have to issue data security rules.

The Third Circuit granted Wyndham's petition for an interlocutory appeal of portions of the district court's opinion.

Defining Unfairness 

The appeals court rejected Wyndham's arguments that what is “unfair” in the context of data security should be subject to a more specific definition by the FTC. The standard doesn't require “unscrupulous or unethical behavior” if there is injury to consumers, nor must the conduct be “not equitable,” the court said.

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profit of their business,” the court said. That reasoning sounds similar to FTC reliance on the deception prong of Section 5 of the FTC Act, and the court acknowledged that unfairness and deception often overlap.

The court also rejected Wyndham's argument that because Congress gave the FTC specific data security enforcement powers under laws passed subsequently to the FTC Act, such as the Fair Credit Reporting Act, lawmakers must have recognized that the commission lacked the authority under the FTC Act.

Due Process Claim Rejected 

The Third Circuit found no basis for Wyndham to support a Due Process Clause challenge on the basis of a lack of “fair notice of what is prohibited.”

The court said that in initiating the federal court action and agreeing that there were no definitive FTC rules, Wyndham was asking for a judicial opinion in the first instance under the FTC Act “without deferring to any FTC interpretation.” Therefore, “the relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires,” the court said in rejecting the fair notice arguments.

“We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required,” the court said.

The court's judgment assessed the costs of the appeal against Wyndham.

Rehearing Request?

Davis Wright Tremaine's Karanjia said he “would not be at all surprised if Wyndham sought rehearing—possibly, by the full court.”

The panel “seemed to view Wyndham as forfeiting any argument that it should have ‘ascertainable certainty' of the FTC’s interpretation of the governing ‘unfairness' standard under the FTC Act because it had pointed to the lack of any prior FTC ruling definitively setting forth that standard,” he said.

“But the absence of any such FTC ruling seems consistent—not inconsistent—with Wyndham’s argument. As I understand it, Wyndham wasn’t arguing that you should divine how a court (rather than the FTC) might apply this statute; it claim was that it lacked fair notice of how the FTC would apply the statute because, among other things, the FTC had never clearly articulated what is expected with regard to cybersecurity.”

Judges Anthony J. Scirica and Jane R. Roth joined in the opinion.

Kenneth W. Allen, Eugene F. Assaf, Christopher Landau, Susan M. Davies and Michael W. McConnell of Kirkland & Ellis LLP in Washington; David T. Cohen of Ropes & Gray LLP in New York and Douglas H. Meal of the firm's Boston office; and Justin T. Quinn of Gibbons PC in Newark, N.J., represented Wyndham. Joel R. Marcus, David C. Shonka Sr. and David L. Sieradzki of the FTC in Washington represented the commission.

To contact the reporter on this story: Donald G. Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Barbara Yuill at byuill@bna.com

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/FTC_v_Wyndham_Worldwide_Corp_et_al_Docket_No_1403514_3d_Cir_Aug_0/12.