Whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.
(Opinion pdf page 7).
The Third Circuit affirmed the district court’s ruling.
Section 45(a)(1) prohibits “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” Section 45(a)(2) empowers the FTC to enforce §45(a)(1).
The FTC’s unfair cybersecurity practices allegations against Wyndham included storing payment card information in clear readable text, inadequate password strength, failure to use firewalls, failure to implement adequate information security policies and procedures, failure to adequately restrict network access by third-party vendors, failure to employ reasonable measures to detect and prevent unauthorized network access and failure to follow proper incident response procedures. The FTC argued that, taken together, these practices unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.
The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through unreimbursed fraudulent charges, increased costs, and lost access to funds or credit, and that they expended time and money resolving fraudulent charges and mitigating subsequent harm.
(Opinion pdf page 11).
The Third Circuit detailed Wyndham’s cybersecurity practices and the circumstances of the three cybersecurity attacks against Wyndham on pages 7 through 11.
Section 45(n) controls the FTC’s application of §45(a). Under §45(n),
The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.
Wyndham argued that the plain meaning of the word “unfair” imposes additional, independent requirements that are not articulated in §45(n). The Third Circuit indicated that some of Wyndham’s additional proposed requirements were unpersuasive and the rest were addressed by the FTC’s allegations.
The Third Circuit found this Wyndham argument particularly unpersuasive:
Wyndham posits a reductio ad absurdum, arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to regulate the locks on hotel room doors, to require every store in the land to post an armed guard at the door, and to sue supermarkets that are sloppy about sweeping up banana peels. The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).
We are therefore not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of “unfair.”
(Opinion pdf pages 20 – 21).
Wyndham argued that the FTC failed to give it fair notice of the specific cybersecurity standards it was required to follow.
A conviction or punishment violates the Due Process Clause of our Constitution if the statute or regulation under which it is obtained fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.
(Opinion pdf page 25).
Wyndham presented a number of arguments regarding the deference courts should give to the FTC’s interpretation of §§45(a).
Wyndham’s position is unmistakable: the FTC has not yet declared that cybersecurity practices can be unfair; there is no relevant FTC rule, adjudication or document that merits deference; and the FTC is asking the federal courts to interpret § 45(a) in the first instance to decide whether it prohibits the alleged conduct here. The implication of this position is similarly clear: if the federal courts are to decide whether Wyndham’s conduct was unfair in the first instance under the statute without deferring to any FTC interpretation, then this case involves ordinary judicial interpretation of a civil statute, and the ascertainable certainty standard does not apply. The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of what the statute itself requires.
(Opinion pdf page 35).
The Third Circuit slammed the door on Wyndham’s arguments about its unfair treatment by the FTC.
We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute. If later proceedings in this case develop such that the proper resolution is to defer to an agency interpretation that gives rise to Wyndham’s liability, we leave to that time a fuller exploration of the level of notice required. For now, however, it is enough to say that we accept Wyndham’s forceful contention that we are interpreting the FTC Act (as the District Court did). As a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute.
(Opinion pdf page 38).
The Third Circuit next determined that Wyndham had fair notice of the meaning of §45(a).
Wyndham argues it lacked notice of what specific cybersecurity practices are necessary to avoid liability. We have little trouble rejecting this claim.
To begin with, Wyndham’s briefing focuses on the FTC’s failure to give notice of its interpretation of the statute and does not meaningfully argue that the statute itself fails fair notice principles. We think it imprudent to hold a 100-year-old statute unconstitutional as applied to the facts of this case when we have not expressly been asked to do so.
(Opinion pdf pages 38 – 39).
The Third Circuit next articulated the relevant standard.
Subsection 45(n) asks whether the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. We acknowledge there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold. But under a due process analysis a company is not entitled to such precision as would eliminate all close calls. Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.
(Opinion pdf pages 39 – 40).
The Third Circuit interpreted Wyndham’s challenge to the FTC’s suit against it as an as-applied challenge, i.e., that the FTC’s enforcement of the statute against Wyndham was incorrect.
The Third Circuit described a reason why it ruled against Wyndham on this issue.
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.
(Opinion pdf page 41).
The Third Circuit summarized its opinion:
The three requirements in § 45(n) may be necessary rather than sufficient conditions of an unfair practice, but we are not persuaded that any other requirements proposed by Wyndham pose a serious challenge to the FTC’s claim here. Furthermore, Wyndham repeatedly argued there is no FTC interpretation of § 45(a) or (n) to which the federal courts must defer in this case, and, as a result, the courts must interpret the meaning of the statute as it applies to Wyndham’s conduct in the first instance. Thus, Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform. Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself—a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case.
(Opinion pdf pages 46 – 47).
This case is Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514, Third Circuit Court of Appeals.