Third Circuit Affirms District Court’s Decision Asserting FTC’s Authority over Companies’ Data Security Practices
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.