Thanks to 3rd Circuit, companies are accountable for lax cybersecurity

August 24, 2015

(Reuters) – Our civil justice system features two ways to assure that corporations treat the rest of us fairly. Consumers (or investors, in the case of securities violations) can bring a suit to recover damages. And government regulators can bring an enforcement action. These public and private cases are supposed to work together to hold deceptive corporations accountable for their misdeeds and to deter other businesses from engaging in similar misbehavior.

The law on consumer class actions over lapses in cybersecurity is in flux, as I’ve written in a bunch of posts this year. Federal judges have been increasingly likely to hold that customers whose personal information has been exposed to hackers have constitutional standing to sue business that left the data vulnerable. But potential damages have been restricted. Even in gigantic data breach cases against defendants such as Sony and Target, only plaintiffs stuck with fraudulent charges or those who laid out money to protect accounts or replace compromised credit and debit cards have been able to push forward with claims for damages. If corporate exposure to consumer claims tops out in the tens of millions, that’s not very effective deterrence. Businesses might well conclude under cost-benefit analysis that it’s less expensive to settle consumer class actions than to spend the money to protect consumers’ personal information.

All of this background is to explain why a ruling Monday from the 3rd U.S. Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide is so important. As my Reuters colleague Jon Stempel reported, a three-judge 3rd Circuit panel held unanimously that the FTC has authority to police cybersecurity lapses as an unfair business practice, rejecting Wyndham’s contention that the agency improperly seized the power to regulate cybersecurity and failed to provide fair notice of the standards it would apply.

Wyndham was the first defendant to protest the FTC’s authority in federal district court, so the 3rd Circuit opinion – written by Judge Thomas Ambro for a panel that also included Judges Anthony Scirica and Jane Roth – sets precedent on the FTC’s right to sue companies that fail to safeguard customer data adequately. The prospect of a government enforcement action, in addition to exposure to private litigation, should persuade other businesses to beef up their security.

Wyndham and its appellate lawyers at Kirkland & Ellis, with amicus support from the U.S. Chamber of Commerce and other business groups, pulled out just about every imaginable argument against the FTC’s authority. It asserted, for example, that business practices cannot be deemed unfair if consumer harm results from someone else’s criminal behavior; in its case, the illegal hacking of Wyndham sites. It also said the plain meaning of the word “unfair” requires the FTC to show consumers were harmed by unethical or unscrupulous behavior.

The 3rd Circuit waved away both of those arguments. In part, Wyndham was hamstrung by the facts of this case: Despite claiming industry-standard security for customer data, it was hacked on three separate occasions over 2008 and 2009, exposing data of nearly a half-million customers who experienced more than $10 million in fraudulent charges. “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” the appeals court said.

More broadly, Wyndham claimed that Congress did not specifically delegate the authority to regulate cybersecurity to the FTC, even though the FTC is authorized to bring cases when a business practice “is likely to cause substantial business injury.” According to the hotel chain, Congress has recently enacted three laws delegating specific cyber data responsibilities to the FTC. There would have been no need for these laws, Wyndham argued, if the FTC already had the broad cybersecurity mandate it claimed.

But the 3rd Circuit said the three recent laws imposed requirements on the FTC so they should not be read as a concession that the FTC lacks discretionary authority. Nor should various proposed cybersecurity laws, the opinion said, or FTC statements on the need for sweeping regulation of cyber data.

The opinion’s discussion of Wyndham’s right to fair notice will be interesting to administrative law buffs because the 3rd Circuit decided the hotel chain was entitled only to notice of the unfair business practices statute, not to notice of how the FTC interpreted the law with respect to cybersecurity practices. According to the 3rd Circuit, Wyndham wanted to have its administrative cake and eat it too. It argued that the FTC should have provided “ascertainable certainty” of its interpretation of the law, yet it also insisted that the agency has not issued a regulatory rule or opinion to which courts must pay deference. (Previous FTC cybersecurity administrative cases have all settled via consent decrees.) Wyndham presumably made that argument to avoid triggering deferential review of the FTC’s authority. But the 3rd Circuit said that the hotel chain can’t gain the benefit of the tighter ascertainability certainty standard if, as it insisted, the FTC has not defined unfair cybersecurity practices.

“Wyndham’s position is unmistakable: the FTC has not yet declared that cybersecurity practices can be unfair; there is no relevant FTC rule, adjudication or document that merits deference; and the FTC is asking the federal courts to interpret (the statute) in the first instance to decide whether it prohibits the alleged conduct here,” the opinion said. “The implication of this position is similarly clear: If the federal courts are to decide whether Wyndham’s conduct was unfair in the first instance under the statute without deferring to any FTC interpretation, then this case involves ordinary judicial interpretation of a civil statute, and the ascertainable certainty standard does not apply. The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.”

The 3rd Circuit said the bar is low for fair notice to a business of civil violations and Wyndham’s challenge does not implicate constitutional issues. The question is whether the hotel chain should have known, under a cost-benefit analysis, whether its practices were likely to cause consumers more harm than good (presumably if cost savings on cybersecurity meant lower costs to consumers). “We acknowledge there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold,” the opinion said. But not here, the 3rd Circuit wrote, where Wyndham’s security measures, at least according to the FTC, fell woefully short even after the company experienced its first hack.

The FTC has been stepping up its data breach litigation in federal court. I’m sure other defendants will challenge its authority in courts outside of the 3rd Circuit, but they’re going to have to come up with better arguments than Wyndham’s.

For more of my posts, please go to WestlawNext Practitioner Insights

Follow me on Twitter

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see