The Third Circuit Court of Appeals recently upheld the Federal Trade Commission’s power to regulate corporate privacy and data security procedures under the Federal Trade Commission Act. Wyndham Worldwide was hit by three separate hacker attacks in 2008 and 2009, which resulted in the loss of personal and financial data for more than 600,000 consumers. The FTC filed suit, alleging that Wyndham’s cybersecurity procedures, which had failed to protect this data, violated the FTC Act’s prohibition on “unfair” acts or practices by a business. See 15 U.S.C. § 45(a).
Wyndham, which franchises and manages hotels, and sells time shares, runs the property management system for the whole enterprise. This system collects and processes consumer information, including names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. The FTC’s lawsuit alleges that Wyndham failed to implement reasonable data security procedures, including (1) allowing Wyndham-branded hotels to store payment card information in readable text; (2) allowing the use of easily guessable passwords; (3) failing to use firewalls and other readily available security measures; (4) allowing franchisees and others to connect to the network without appropriate precautions; (5) failing to adequately restrict access to its network and servers; (6) failing to utilize reasonable measures to detect and prevent unauthorized access; and (7) failing to follow proper incident response procedures.
Wyndham disputed the FTC’s lawsuit, arguing (1) the FTC had no authority to regulate cybersecurity as an “unfair” act or practice; and (2) it had not received “fair notice” of what the FTC was requiring. In its decision, rejecting Wyndham’s challenge, the Third Circuit held (1) that the FTC Act’s prohibition on “unfair” acts and practices is broad enough to grant the FTC authority over business data security practices, and (2) Wyndham, based on the plain language of the Act and FTC statements, did in fact receive “fair notice.”
The Third Circuit sent the case back to the trial court for a decision now on whether Wyndham’s data security practices were—as the FTC alleges—so lax as to be an “unfair” act or practice affecting commerce.