September 24, 2015
FTC Held to Have Authority to Regulate Cybersecurity
Practices Under Section 5 of the FTC Act
The Federal Trade Commission’s longstanding authority to regulate “unfair methods of competition in or
affecting commerce” under § 5 of the FTC Act, 15 U.S.C. § 45(a), extends to regulation of cybersecurity
practices that are harmful to consumers, according to a recent ruling by a three-judge panel of the
United States Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corp., No. 14-3514,
2015 WL 4998121 (3d Cir. Aug. 24, 2015). This case not only reaffirms the applicability of this wellknown tool in the context of modern corporate data security practices but also solidifies the FTC as one
of the primary regulators of cybersecurity and data breach responses in the United States.
The FTC’s Historic Power over Unfair Methods of Competition
and Its Extension in the 1960s to Practices Harmful to Consumers
When the FTC Act was first signed into law in 1913, it was primarily enforced only against practices that
harmed competition or commerce in a literal sense, such as violations of the Sherman Anti-Trust Act. In
its early days, the Act was not considered applicable to practices which were harmful to consumers but
not necessarily harmful to competition or commerce. Thus, for example, in early cases, restrictions on
the price and manner in which printed publications may be sold, on requiring gasoline sellers who lease
their tanks from gasoline manufacturers to only sell gasoline from that manufacturer, and on
unsubstantiated weight loss cure advertisements were all held to be outside the FTC’s authority under
§ 5 of the FTC Act.
In 1964, however, the FTC promulgated trade regulations for cigarette advertising based on § 5 that
would consider whether a practice “causes substantial injury to consumers,” among other factors, in
determining whether the practice was “unfair.” The FTC thereafter began following this approach in
other areas. In 1972, the United States Supreme Court upheld the FTC’s using consideration of the
potential for consumer harm in unfairness determinations under § 5 of the FTC Act (FTC v. Sperry, 405
U.S. 233 (1972) (involving secondary markets for trading stamps)).
The FTC has continued to use this authority ever since, in areas such as the regulation of children’s
advertising. In 1980, the FTC’s authority in this regard was codified by Congress in § 5(n) of the FTC
Act, 15 U.S.C. § 45(n), which recognized the FTC’s authority “to declare unlawful an act or practice on
the grounds that such act or practice is unfair” where “the act or practice causes or is likely to cause
substantial injury to consumers which is not reasonably avoidable by consumers themselves and not
outweighed by countervailing benefits to consumers or to competition.”
Expansion to Cybersecurity and the Case Against Wyndham
Data security increasingly has become a large and significant issue for American business. Every few
months seemingly brings a new announcement that a major company’s customer data has been
breached or leaked or otherwise exposed, affecting millions of customers or users. Some recent
examples include Ashley Madison (37 million user records), Anthem (80 million personal and medical
records), Home Depot (56 million credit card numbers), Adobe (152 million user records), Target (110
million credit and debit card records), and Sony Playstation (77 million user records).
Since early 2002, the FTC has asserted authority, primarily under § 5 of the FTC Act, to address
corporate data security policies. By January 2014, the FTC announced that it had achieved data
security settlements with 50 companies. (FTC Press Release (Jan. 31, 2014).)
Not all companies settled, however. In 2012, the FTC commenced an action against Wyndham under
§ 5 of the FTC Act for several data security incidents in 2008 and 2009.
The FTC alleged that Wyndham had engaged in unfair cybersecurity practices that, “taken together,
unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
According to the FTC’s allegations, through these combined incidents, hackers obtained payment card
information from over 619,000 consumers, which resulted in at least $10.6 million in fraud loss, with
consumers suffering financial injury through “unreimbursed fraudulent charges, increased costs, and
lost access to funds or credit,” and having to “expend[] time and money resolving fraudulent charges
and mitigating subsequent harm.”
Wyndham did not settle the charges but instead challenged the FTC’s attempt to proceed against it
under § 5 as being beyond the FTC’s authority under the FTC Act. The District Court upheld the FTC’s
authority in this area under the FTC Act and the Third Circuit affirmed.
“Unfairness” in the Cybersecurity Context
Wyndham argued against the FTC’s action that to be “unfair” required more than merely meeting the
minimum requirements that Congress specified in § 5(n) of the FTC Act. Wyndham argued that to be
“unfair,” a practice also needs to be “not equitable” or “marked by injustice, partiality, or deception.” The
Third Circuit held, however, that the FTC’s actions were valid even under this proposed test:
“A company does not act equitably when it publishes a privacy policy to attract
customers who are concerned about data privacy, fails to make good on that promise by
investing inadequate resources in cybersecurity, exposes its unsuspecting customers to
substantial financial injury, and retains the profits of their business.”
In the Wyndham case, the FTC identified, and the Third Circuit noted, several aspects of Wyndham’s
insufficient cybersecurity protections:







Credit card information was stored in unencrypted clear text;
Property management system passwords were permitted to be very easily guessable;
No firewalls were used between individual hotels’ systems, corporate systems, or the Internet;
Computers used to access property management systems were running out-of-date operating
systems which had not received timely security updates;
Access to computer systems by third-party vendors was not adequately controlled;
There were no unauthorized access detection measures in place; and
There were no additional measures put in place after known breach incidents.
The fact that the cybersecurity breaches were caused by outside parties—hackers—did not alter the
Third Circuit’s conclusions. To the contrary, it took particular note that Wyndham had been hacked on
three separate occasions in different ways, and that the FTC alleged that even though Wyndham was
aware of each the breaches, no new security measures were put in place after any one breach
CLIENT ALERT
2
sufficient to prevent the next. The Court noted that Wyndham did not argue that the breaches were
unforeseeable.
The Third Circuit dismissed as an “alarmist” reductio ad absurdum Wyndham’s suggestion that to
uphold the FTC’s authority here would be to grant the FTC authority to “regulate the locks on hotel
room doors, . . . to require every store in the land to post an armed guard at the door” and to sue
supermarkets that are “sloppy about sweeping up banana peels.”
The Court also rejected Wyndham’s claim that it did not have “fair notice” of what was prohibited. It
noted that the case was not about any past inconsistency in the FTC’s position about how the FTC Act
should be interpreted, but rather simply about whether Wyndham had fair notice of what the FTC Act
itself requires. The Third Circuit held that the interpretation was proper, and that the FTC was entitled to
proceed through agency adjudication rather than rulemaking.
The FTC’s View on Appropriate Cybersecurity Practices
Wyndham heralds an era where the FTC will be able to wield signifcant authority in regard to
cybersecurity practices that can affect customers and consumers. Fortunately, the FTC has provided
some guidance about what it considers to be suitable cybersecurity practices.
In its January 31, 2014 press release, the FTC maintained that its enforcement of cybersecurity
protections is based on a reasonableness standard: “[A] company’s data security measures must be
reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the
size and complexity of its business, and the cost of available tools to improve security and reduce
vulnerabilities.”
The FTC further suggested:
First, companies should know what consumer information they have and what employees or
third parties have access to it. Understanding how information moves into, through, and out of a
business is essential to assessing its security vulnerabilities.
Second, companies should limit the information they collect and retain based on their legitimate
business needs so that needless storage of data does not create unnecessary risks of
unauthorized access to the data.
Third, businesses should protect the information they maintain by assessing risks and
implementing protections in certain key areas—physical security, electronic security, employee
training and oversight of service providers.
Fourth, companies should properly dispose of information that they no longer need.
Finally, companies should have a plan in place to respond to security incidents, should they
occur.
The FTC has provided additional guidelines its “Start with Security” guide
(https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf).
Conclusion
The explosion in electronic communications, transactions and commerce over the past 15-20
years has brought along in its wake a corresponding explosion in the need for cybersecurity.
CLIENT ALERT
3
The Wyndham case helps confirm the authority of the FTC, a century-old federal agency
dedicated to protecting consumers, markets and competition, as a key regulatory body whose
positions on cybersecurity practices need to be watched and followed by companies and
businesses who are dealing with the challenges of an economy operating in this still very new
sphere.
*
*
*
Our client alerts are for general informational purposes and should not be regarded as legal
advice. If you would like additional information or have any questions, please contact:
New York
Robert A. Schwinger
+1 (212) 408-5364
[email protected]
Neal J. McLaughlin
+1 (212) 408-5283
[email protected]