Joining the list of courts that have evaluated the Federal Trade Commission’s authority in the data security space, the U.S. Court of Appeals for the Third Circuit heard arguments on FTC v. Wyndham Worldwide Corporation on March 3, 2015 on two questions certified on interlocutory appeal:
- Whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act, and
- Whether the FTC must formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.
The court’s questioning took a skeptical tone in probing, as a threshold matter, whether Congress imbued the FTC (which has authority to investigate and pursue claims of unfairness under Section 5(a)) with the authority to define or declare specific practices as “unfair.” This question is particularly salient given the novelty of emerging issues, such as cybersecurity, where “unfair practices” may not be as easy to identify as garden-variety fraud. The FTC Commission responded that Congress intended “unfair practices” to be a flexible balancing test where the likelihood of unavoidable consumer harm is weighed against any countervailing benefits. The Commission further argued that the Third Circuit could itself decide whether unreasonable cybersecurity practices are unfair. Although the court seemed unreceptive to this suggestion and took issue with the FTC’s reliance on FTC v. Neovi, a case where the Ninth Circuit addressed a novel theory of unfairness, the FTC argued that legislative history still left open that possibility.
Assuming that the FTC may make unfairness determinations, the court also explored whether the FTC has provided sufficient notice of what practices it considers to be unfair. The court pressed the FTC about the practicality of notice, asking whether companies are to be expected to read FTC consent orders and other FTC missives to infer what would constitute unfair conduct. The court also discussed FTC v. LabMD, an administrative proceeding involving claims of unfairness for inadequate data security safeguards, and whether the ALJ’s findings there could help establish unreasonable security safeguards as an unfair practice.
The court also asked both parties what standard – beyond a finding of negligence – should be required to establish liability for unreasonable data security practices. Judge Ambro suggested that negligence taken in conjunction with other misconduct, such as deception, might be sufficient. He explained that Wyndham’s negligence in combination with deceptive security-related statements on its website might satisfy this requirement.
The FTC has so far used Section 5(a) over 50 times against companies that employ what the FTC claims are weak data practices that put consumers’ personal information at risk. Most companies choose to settle with the FTC, rather than litigate as Wyndham did. The Third Circuit’s decision in this case will have important implications, either directing companies to look to FTC precedent for guidance on data security practices or potentially stripping the FTC of its power to enforce unreasonable data security practices on unfairness grounds until it issues formal guidelines.
Photo by Jeff Kubina from Flickr