The Third Circuit released an opinion today in FTC v. Wyndham Worldwide Corporation affirming a district court decision that the FTC has jurisdiction to pursue Wyndham for security lapses at the hotel chain. The summary below is in narrative format. The most important point is the last–the Third Circuit held that FTC complaints could give businesses “fair notice” of possibility of liability under the FTC Act. This in effect ratifies the FTC’s method of steadily increasing privacy and security requirements through publicly-announced settlements instead of through contested litigation in court.
First, some background. In June 2012, the FTC sued Wyndham for unfair and deceptive trade practices as a result of a series of security breaches the company suffered in 2008-2009. Virtually all privacy and security cases settle. Why not this one? Apparently, Wyndham felt strongly that when these security breaches happened, the FTC had not developed significant enough authority to put the business community on notice of what security precautions were necessary. As mentioned above, Wyndham was not successful with its theory in district court, and so it pursued an interlocutory appeal at the Third Circuit. The Third Circuit considered, “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”
In this straightforward opinion, the Third Circuit answered both in the affirmative. First, the court disposed of Wyndham’s argument that its conduct fell outside the plain meaning of “unfair.” Wyndham had argued that the FTC failed to meet pleading requirements (that the FTC needed to show Wyndham’s activities to be unethical or unscrupulous) and that Wyndham was the victim of an attack, thus its activities were not unfair. Wyndham also argued that the FTC’s unfairness activity did not extend to its conduct, which offered the court this opportunity to toss a barb:
“…Wyndham posits a reduction ad absurdum, arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to “regulate the locks on hotel room doors, . . . to require every store in the land to post an armed guard at the door,” Wyndham Br. at 23, and to sue supermarkets that are “sloppy about sweeping up banana peels,” Wyndham Reply Br. at 6. The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).
Second, the Court distinguished Brown & Williamson, an authority Wyndham had relied upon to argue that Congress had excluded cybersecurity from the FTC Act’s ambit.
Finally, the Third Circuit devoted the remainder of the opinion to Wyndham’s due process argument that it was deprived of “fair notice” of the FTC Act’s cybersecurity requirements. The court observed that since this is a civil case, the government’s notice requirements are relaxed. In addition, the relevant inquiry was whether Wyndham had notice of the meaning of the statute, not whether it had “ascertainable certainty” of the FTC’s interpretation of it.
The court next determines that the meaning of the unfairness prohibition requires businesses to engage in a rough cost-benefit analysis “including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” Under this cost-benefit analysis, Wyndham does not do well:
“As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, Compl. at ¶ 24(a), did not restrict specific IP addresses at all, id. at ¶ 24(j), did not use any encryption for certain customer files, id. at ¶ 24(b), and did not require some users to change their default or factory-setting passwords at all, id. at ¶ 24(f). Wyndham did not respond to this argument in its reply brief.
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis…”
Finally, and perhaps most importantly, the court disposed of Wyndham’s argument that previous FTC security and privacy complaints were too vague to give notice to the business community. The Third Circuit disagreed:
“First, even if the complaints do not specify which allegations, in the Commission’s view, form the necessary and sufficient conditions of the alleged violation, they can still help companies apprehend the possibility of liability under the statute. Second, as the Table below shows, Wyndham cannot argue that the complaints fail to give notice of the necessary and sufficient conditions of an alleged § 45(a) violation when all of the allegations in at least one of the relevant four or five complaints have close corollaries here.
It then published the allegations from the CardSystems Solutions complaint next to the Wyndham complaint.
More to come. But suffice it to say that the material on pages 44–46 are the most important for the FTC in its argument that it is building evolving standards for privacy and security through settlement agreements.
Alas, Wyndham now returns to its underlying litigation in district court before Judge Salas.