§Why CasetextPricing

The FTC and Cybersecurity

data breaches could be considered to be unfair trade practices
By Kevin Crews
Sep 9, 2015

Lax data security could be an unfair trade practice.

Federal involvement in cybersecurity issues and data breaches will likely continue to grow and the law will continue to evolve in this area. The 3rd Circuit recently validated the Federal Trade Commission's (FTC) authority in the cybersecurity field and ruled in favor of the FTC's action against Wyndham Worldwide Corp., citing to the Federal Trade Commission Act:

The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a).

Fed. Trade Comm'n v. Wyndham Worldwide Corp., 6 No. 14-3514 (3d Cir. Aug 24, 2015).

In this case,the hackers initially intruded by using "the brute-force method—repeatedly guessing users' login IDs and passwords—to access an administrator account on Wyndham's network." Fed. Trade Comm'n v. Wyndham Worldwide Corp., 10 No. 14-3514 (3d Cir. Aug 24, 2015).

The FTC alleged that these successful intrusions resulted from Wyndham's "unfair cybersecurity practices that, 'taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.'" Fed. Trade Comm'n v. Wyndham Worldwide Corp., 8 No. 14-3514 (3d Cir. Aug 24, 2015). These "unfair cybersecurity practices" included the following:

  • storing payment card information in "clear readable text."
  • allowing unrestricted access to vendors.
  • allowing "easily guessed passwords."

What is an unfair cybersecurity practice?

The court acknowledged that the definition of "unfair or deceptive acts" is vague, but discussed several U.S. Supreme Court cases acknowledging that "Congress designed the term as a 'flexible concept with evolving content.'" Fed. Trade Comm'n v. Wyndham Worldwide Corp., 13 No. 14-3514 (3d Cir. Aug 24, 2015).

15 U.S.C. Section 45(n) continues to explain that an "unfair" practice is one that is "likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." These factors certainly could apply to data breaches where consumers suffer harm after the breach. If a consumer has suffered substantial injury, the incident clearly fits within the plain meaning of the statute. The 3rd Circuit concluded that "we are therefore not persuaded by Wyndham's arguments that the alleged conduct falls outside the plain meaning of 'unfair.'" Fed. Trade Comm'n v. Wyndham Worldwide Corp., 21 No. 14-3514 (3d Cir. Aug 24, 2015).

In our 21st Century economy, almost every company has some degree of information about its customers in a database. Thus, applying this statute to modern cybersecurity issues is simply the next logical step because data security and commerce are interrelated.

Notice

Next, the court considered whether Wyndham had notice that 15 U.S.C. Section 45 applies to cybersecurity issues.

"The relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute." Fed. Trade Comm'n v. Wyndham Worldwide Corp., 38 No. 14-3514 (3d Cir. Aug 24, 2015).

The 3rd Circuit concluded that the statute provides adequate notice, especially given the fact that Wyndham was hacked numerous times:

"We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis." Fed. Trade Comm'n v. Wyndham Worldwide Corp., 41 No. 14-3514 (3d Cir. Aug 24, 2015).

Take-away

One take-away from this case is that organizations must actively work to protect data and prevent breaches. The FTC is clear that it will not allow holders of sensitive personally identifiable information (PII) to passively sit back and allow data thieves to exploit weaknesses. Discussing the results of the 3rd Circuit, "FTC Chairwoman Edith Ramirez stated, 'It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.'"

Further, merely publishing a privacy policy is not enough. The company must follow through and implement the protections.

"A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business." Fed. Trade Comm'n v. Wyndham Worldwide Corp., 17 No. 14-3514 (3d Cir. Aug 24, 2015).

Being a 'Victim' is not a Shield

Additionally, the 3rd Circuit reiterated that companies targeted by hackers cannot rely on their status as a "victim" to avoid responsibility.

More importantly, that a company's conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965); . . . Westfarm Assocs. v. Wash. Suburban Sanitary Comm'n, 66 F.3d 669, 688 (4th Cir. 1995) (" Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.").

Fed. Trade Comm'n v. Wyndham Worldwide Corp., 20 No. 14-3514 (3d Cir. Aug 24, 2015).

Companies have to actively, not passively, protect data. This responsibility imposes an obligation to aggressively secure data and minimize weaknesses.

Future Developments

The news is full of stories regarding breaches of consumer data, financial data, and medical information. Given the value of these types of personal information, organizations that maintain any form of personally identifiable information will continue to be targeted.

Consequently, we can expect privacy and security law to continue to evolve and catch-up to rapidly evolving cybersecurity developments. In terms of federal involvement and regulation, one author noted that "Because this is a relatively new arena for regulatory enforcement, there are not many precedents to follow, and the scrutiny is likely to come from multiple regulatory bodies, including the DOJ, the SEC, Health and Human Services, Homeland Security, and the FTC (Federal Trade Commission)."

As this field continues to evolve, organizations that hold personal information and all stakeholders must continue to adapt and proactively stay ahead of the curve.