The Third Circuit affirmed the ruling of the district court, finding that the Third Circuit found that the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act and that neither the plain meaning of “unfairness” nor congressional action in the area of cybersecurity negate such authority. The Third Circuit also found that, to satisfy due process, a company need not have had “fair notice” of the FTC’s interpretation of what specific cybersecurity standards are required to avoid liability under the unfairness prong of § 45(a), but only “fair notice” that cybersecurity practices can form the basis of an unfair practice under § 45(a)—notice the court found to exist here.
Notably, the court did not find that Wyndham’s practices constituted unfair security measures, but rather remanded the case to the district court for a trial on the merits.
FTC’s Unfairness Authority
Wyndham raised several arguments in support of its claim that the FTC lacked the authority to regulate cybersecurity in this particular case and, more generally, under the unfairness prong of § 45(a), each of which was struck down by the Third Circuit.
First, Wyndham argued that the complaint did not allege actions that could be properly characterized as “unfair,” arguing that conduct is only unfair when it injures consumers through unscrupulous or unethical behavior, which its alleged conduct was not. The Third Circuit rejected this contention, concluding that the Supreme Court in FTC v. Sperry & Hutchinson Co. (1972) did not read these requirements into the statutory meaning of “unfair.”
Wyndham next pointed to a Webster’s Dictionary definition of unfairness, arguing that conduct must satisfy the definition, and be “not equitable” or “marked by injustice, partiality, or deception” to be considered “unfair.” The court declined to address whether these elements of the Webster’s definition were requirements of an unfairness claim, leaving the issue open for another day, and stating that the issue “makes little difference here” as the complaint alleged conduct that satisfied the definition.
Wyndham further argued that a business “does not treat its customers in an ‘unfair’ manner when [as here] the business itself is victimized by criminals.” The court disagreed, saying that it could think of “no reasoning or authority for this principle.” In addressing this point, the court also noted that a company could be subject to an unfairness claim even where the company’s conduct was not the most proximate cause of an injury, so long as it facilitated the most proximate cause and the outcome was reasonably foreseeable. This ruling has significant ramifications for future cybersecurity cases as it explicitly finds that actions that a company takes (or fails to take), from which a cyber attack is “reasonably foreseeable,” can form the basis of an unfairness claim by the FTC.
Next, Wyndham argued that three federal laws that grant substantive authority to the FTC in the cybersecurity context—an amendment to the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act—exclude cybersecurity from the scope of the FTC’s unfairness authority because such specific grants of authority would not be necessary if the FTC already had general authority to regulate cybersecurity. The Third Circuit disagreed, explaining that because each of the other laws granted additional, specific authority to the FTC beyond the FTC’s existing unfairness authority, they served to supplement the FTC’s authority rather than demonstrate an absence of it.
Finally, the court disagreed with Wyndham that the FTC’s interpretation of its authority to regulate cybersecurity as an unfair practice was inconsistent with the FTC’s efforts to obtain more explicit authority from Congress to regulate in the area. The court explained that the FTC’s legislative efforts at issue instead related to requests to Congress for additional authority to regulate broader “fair information privacy practices” not coextensive with cybersecurity, and therefore the FTC’s position was not inconsistent.
The second question on appeal was whether, assuming the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act, Wyndham had sufficient “fair notice” of what cybersecurity practices were prohibited so as to provide Wyndham with sufficient constitutional due process.
The level of notice that the Constitution requires for an entity to be subject to liability varies according to the circumstance. Where government agencies are involved in statutory or regulatory interpretation, courts require that private parties have fair notice of an agency’s interpretation of its regulation or of what conduct is legally required.
Under that principle, Wyndham argued that there was no FTC rule or adjudication on cybersecurity that provided it with constitutionally fair notice. The court, however, found that the appropriate question was not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had “fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under § 45(a)” (emphasis added). The Third Circuit concluded that the allegations in the FTC’s complaint supported the agency’s contention that, as applied, Wyndham could “reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”
The Third Circuit’s fair notice discussion is separately worth highlighting for its dicta regarding whether FTC guidelines, complaints, and consent orders are sufficient to place companies on “fair notice.”
First, the court cited positively the FTC guidebook Protecting Personal Information: A Guide for Business as a document that “could certainly have helped Wyndham determine” whether its practices would be considered unfair under § 45(a).
The court also cited favorably FTC complaints published, along with past cybersecurity settlements, stating generally that the cybersecurity practices the FTC cited as deficient in the complaints can “help companies apprehend the possibility of liability under the statute.” The court commented that these complaints as a whole gave Wyndham notice of the necessary and sufficient conditions of an alleged § 45(a) violation, even if they did not specify which of the allegations, in the Commission’s view, formed the necessary and sufficient conditions of an alleged violation.
In contrast, the court “agree[d] with Wyndham that the FTC’s cybersecurity consent orders, which admit no liability and which focus on imposing prospective requirements on the defendants, were of little use to ascertaining the specific requirements imposed by § 45(a).”
* * *
This case is an important one. It solidifies the FTC’s authority in the cybersecurity context. Although the FTC has settled over 50 actions against companies relating to cybersecurity, all of those were resolved through consent orders through which the defendants agreed that the FTC had authority. Wyndham is the first confirmation by a higher court that the FTC indeed has the broad authority to regulate cybersecurity that it claims. Practically speaking, it has never been more important for businesses to monitor FTC guidelines, complaints, and consent decrees for guidance as to what constitutes potentially unfair cybersecurity practices under § 45(a).