FTC Enforcement of Cybersecurity Standards

January 6, 2016

Author: Ryan M. Tharp

Originally Published September 15, 2015

An August 2015 opinion by the federal Third Circuit Court of Appeals titled FTC v. Wyndham Worldwide Corp. and the December 2015 settlement between Wyndham and the FTC demonstrates that companies may have liability for unfair and deceptive trade practices if they do not take cybersecurity seriously or they misstate their cybersecurity practices.  As part of the settlement of this case, Wyndham is required to implement a comprehensive information security program and report to the FTC on its compliance for the next 20 years.

What happened?

Wyndham and its affiliated companies operate about 90 hotels worldwide.  Wyndham took no or very few cybersecurity measures and was hacked three times between 2008 and 2009, resulting in over 10.6 million dollars in fraudulent charges.  After each hack, Wyndham did not substantially upgrade its cybersecurity.  The FTC sued Wyndham under section 5(a) of the FTC Act claiming that Wyndham’s actions (1) were unfair trade practices because they caused substantial injuries to customers that were not avoidable by the customers and were not outweighed by benefits to customers or competition and (2) were deceptive trade practices because Wyndham stated in its privacy policy that it took industry standard measures to protect its customers’ data.

After the FTC brought suit, Wyndham challenged the FTC’s authority over cybersecurity as it related to unfair trade practices (Wyndham did not challenge the FTC’s authority over the deceptive trade practices claims).  In its opinion, the Third Circuit stated that the FTC had authority to sue companies for violations of unfair trade practices related to cybersecurity.  The opinion does not mean that Wyndham necessarily engaged in unfair trade practices (that determination would have been made at trial had the parties not subsequently settled); rather, the opinion merely states that the FTC can sue companies for cybersecurity practices that may constitute unfair trade practices.

After the Third Circuit’s opinion, Wyndham and the FTC settled the case.  As part of the settlement, Wyndham must implement a comprehensive information security program and is required to report on its compliance with the settlement agreement for the next 20 years.  Wyndham was not required to pay any monetary penalty to the FTC.  The settlement agreement lists specific actions that should be viewed as guidance on what the FTC currently considers reasonable for a comprehensive cybersecurity and information security program.

Why is this important?

If a company is not adequately addressing cybersecurity and information security, the FTC now has clear authority to sue that company for unfair and deceptive trade practices.  The takeaway from the Wyndham case is that a company must take cybersecurity and information security seriously, and that means an ongoing commitment to ensure that consumers are not at risk of a substantial injury.

What are unfair and deceptive trade practices?

Unfair and deceptive trade practices deal with two separate types of conduct: (1) unfair trade practices and (2) deceptive trade practices. While these practices are related, they are treated separately.

  • Unfair trade practices are practices that expose consumers to substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition.  Fundamentally, this requires a cost-benefit analysis comparing the potential harm to consumers against the benefits to consumers and competition.  Note that this definition only requires that a company expose consumers to a substantial injury – it does not require that the injury occur.
  • Deceptive trade practices can be generally described as “do what you say you’re going to do.”  The legal test is more nuanced than that, but if you do what you say you’re going to do, you are probably not engaging in a deceptive trade practice.  If a company’s privacy policy says it uses industry standard practices, but the company has not updated and maintained its cybersecurity practices as industry practices evolve over time, the company is likely engaging in a deceptive trade practice.

This Article is published for general information, not to provide specific legal advice. The application of any matter discussed in this article to anyone's particular situation requires knowledge and analysis of the specific facts involved.

Copyright © 2016 Fairfield and Woods, P.C.  ALL RIGHTS RESERVED.