Third Circuit Reviews FTC’s Authority To Enforce An “Unreasonable Failure” To Protect Against A Cyber Attack

Posted by

Today, the Third Circuit heard oral argument in a case that may have a profound impact on the Federal Trade Commission’s enforcement authority over corporate cybersecurity.  The question presented to the Court of Appeals is whether the FTC can pursue an enforcement action against a company under Section 5 of the FTC Act if the FTC believes that a cyber-hack occurred due to the company’s “unreasonable failure” to protect consumer data.

The FTC alleges that Wyndham Worldwide did not “employ reasonable and appropriate measures to protect personal information against unauthorized access.”  As a result, the FTC claims, Russian data hackers were able to breach the hospitality company’s information system on three occasions between 2008 and 2010, stealing more than 619,000 credit card numbers, and causing more than $10 million in fraud losses.  For its part, Wyndham has not yet had the opportunity to reveal what security measures it had in place.  The company appealed the District Court’s denial of its motion to dismiss, and challenged the FTC’s statutory authority to bring the case under Section 5 of the FTC Act.  Wyndham argued on appeal that “[i]nstead of trying to develop national cybersecurity standards, or otherwise help Wyndham and other American businesses protect themselves from [an] ongoing threat, the Federal Government—through the [FTC]—responded by launching this lawsuit against Wyndham.”

The Third Circuit asked counsel to be prepared to address the following questions during today’s argument:

(1) Has the FTC declared that unreasonable cybersecurity practices are “unfair” through the procedures provided in the FTC Act?

(2) Assuming it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)?

The FTC has filed approximately 181 privacy and security related enforcement complaints since 1997, many of which resulted in a settlement.  The number of complaints filed annually by the FTC has nearly doubled in the last decade, but the Third Circuit’s decision in Wyndham has the potential to change that.