In a closely watched case, the U.S. Court of Appeals for the Third Circuit has affirmed that the Federal Trade Commission has jurisdiction over charges that Wyndham Worldwide Corporation’s cybersecurity and privacy practices were “unfair” under 15 U.S.C. section 45(a). FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).
The FTC had filed suit against Wyndham in 2012 citing three occasions where hackers had gained access to the hotel chain’s computer system and stolen personal and financial information from hundreds of thousands of customers during 2008 and 2009. In its complaint, the FTC charged that Wyndham “engaged in unfair cybersecurity practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
Collectively, the FTC alleged because of these practices Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. § 45(a).
Wyndham filed a motion to dismiss the FTC’s action, which the U.S. District Court for the District of New Jersey denied. However, the Court certified its decision on the unfairness claim for interlocutory appeal.
In holding that the FTC did have jurisdiction over these claims, the Court initially cited a 1980 policy statement issued by the FTC noting that, in that policy statement, the FTC had clarified that the injury must satisfy three tests in order to justify a finding of unfairness and that Congress later codified the FTC’s three-pronged test in 15 U.S.C. § 45(n). Under this test, the injury: (i) must be substantial; (ii) must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and (iii) must be an injury that consumers themselves could not reasonably have avoided.
Wyndham also argued on appeal that, notwithstanding whether its conduct was unfair under section 45, the FTC failed to give fair notice of the specific cybersecurity standards the company was required to follow. In rejecting this argument, the Court held that the relevant question is not whether Wyndham was entitled to know with “ascertainable certainty” the FTC’s interpretation of what cybersecurity practices are statutorily required but rather whether the company had fair notice that its conduct could fall within the meaning of the statute.