On August 24, 2015, the Third Circuit affirmed the United States District Court for the District of New Jersey’s denial of a motion to dismiss in FTC v. Wyndham Worldwide Corp. In Wyndham, the Federal Trade Commission brought suit against Wyndham in the wake of three cybersecurity attacks that allegedly exposed the personal information of “hundreds of thousands of consumers [and led] to over $10.6 million in fraudulent charges.” The Commission brought suit under the “unfair or deceptive acts or practices” provision of the FTC Act—15 U.S.C. § 45(a)—claiming that Wyndham’s failure to establish and maintain reasonable cybersecurity protocols allowed the hackers to attack Wyndham’s systems. After the District Court denied Wyndham’s motion to dismiss, the Third Circuit took an interlocutory appeal of two issues: 1) “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a)” and 2) “whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”
Taking the question of the Commission’s authority first, the Third Circuit concluded that the FTC Act applies to cybersecurity measures. The principal basis for this holding was the risk of serious financial injury facing consumers and the role corporations have in protecting them from that harm. The Third Circuit’s holding is noteworthy, as it may signal increased scrutiny of cybersecurity practices by the FTC.
Having concluded that the FTC has the power to bring administrative actions for alleged cybersecurity deficiencies, the Third Circuit considered whether Wyndham had sufficient notice that its cybersecurity practices were insufficient. The court was critical of a number of Wyndham’s alleged practices, including the ability of hotel to “store payment card information in clear readable text,” the “use of easily guessed passwords to access the property management systems,” and failure to restrict vendor access. Importantly, the court also noted that the fact Wyndham had been hacked in the past must have put it “on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.”
The Third Circuit’s analysis provides some important information for businesses. First, at least the Third Circuit may compare a company’s cybersecurity practices against published agency guidance. Second, despite the demonstrated adaptability of hackers and the ever-evolving tools at their fingertips, some courts may view a prior successful infiltration as evidence of deficient cybersecurity practices. Third, businesses must be mindful not only of how their own employees access systems which contain consumer information, but also of how they allow third-party vendors to access such systems.
Wyndham also provides an opportunity to consider both rigid and flexible cybersecurity protocols. In determining that Wyndham was on notice that its practices may fall below FTC stands, the Third Circuit examined clear and definite practices—password complexity and firewall usage, for example. Reliance on these concrete structures stands in contrast to the flexible cybersecurity approach set out in the National Institute of Standards and Technology’s (“NIST”) Special Publication 800-53, the goal of which is to encourage adaptable policies and procedures. Businesses should consider the need to implement both flexible policies and procedures that meet their business needs, as well as some of the specific security practices called for by the FTC (the FTC’s cybersecurity guidance is available here) to ensure their protocols will withstand later scrutiny by regulators and courts.