On Monday, the Third Circuit issued a highly anticipated opinion affirming the Federal Trade Commission’s authority to regulate “unfair” cybersecurity practices under Section 5 of the FTC Act. In allowing the data breach action against Wyndham Worldwide Corporation to proceed, the Court held that Wyndham was “not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.” This ruling confirms what many practitioners already know: companies must be particularly attentive to designing and updating policies and programs that not only consider the status quo patchwork of cybersecurity rules and regulations, but that also adapt to the myriad regulatory consent decrees, frameworks, and guidelines that outline the contours of reasonableness in the context of cybersecurity.
In 2008 and 2009, on three separate occasions, hackers allegedly accessed and ex-filtrated data from Wyndham Worldwide’s corporate network and some of its independently owned hotels’ property management systems that store hotel guests’ personal and payment information. Through a combination of attack vectors, tools and methodologies (including brute force password attacks, memory-scraping malware, and administrator account compromises), the hackers allegedly obtained, among other things, payment card information belonging to over 619,000 consumers – reportedly resulting in at least $10.6 million in fraudulent charges and the export of hundreds of thousands of payment card details to a domain registered in Russia.
After investigating these data breaches, the FTC brought an enforcement action in 2012, alleging that Wyndham had engaged in “unfair” cybersecurity practices in violation of Section 5. Without referring to any specific cybersecurity requirements with which the FTC expected Wyndham to comply, the FTC alleged that Wyndham “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Specifically, the FTC highlighted a laundry list of deficient data security practices including the storage of payment card information in clear text, use of weak and default passwords across its network, missing or mis-configured firewalls to limit access between systems and the Internet, failure to “adequately restrict” third party vendors from accessing the corporate network and hotel servers, and failure to follow “proper incident response procedures,” particularly in the wake of successive cyberattacks.
FTC Not Required to Articulate Specific Cybersecurity Standards
Section 5 of the FTC Act, from which the FTC derives its consumer protection authority, prohibits “unfair or deceptive acts or practices in or affecting commerce[.]” 15 U.S.C. § 45(a). The Act further provides a cost-benefit analysis framework, defining “unfair practices” as those that “ cause or [are] likely to cause substantial injury to consumers  which [are] not reasonably avoidable by consumers themselves and  not outweighed by countervailing benefits to consumers or to competition.”
Affirming the FTC’s power to regulate unfair cybersecurity practices, the Third Circuit rejected Wyndham’s arguments that it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by Section 5. Rather, the Court held that Wyndham was only due “fair notice” that its conduct could reasonably fail Section 5’s required cost-benefit analysis, noting also that the FTC had publicly issued security guidebooks, filed numerous complaints and entered into consent decrees in administrative cases and posted such materials on its website and in the Federal Register. Moreover, it was particularly relevant that Wyndham “was hacked not one or two, but three, times. [And a]t least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.”
There are three key lessons learned from the Third Circuit’s ruling relating to cybersecurity preparedness.
- First, the ruling is a clear milepost for minimally necessary security measures (e.g., firewalls, encryption, access controls, vendor management, and incident response planning) that all companies should consider implementing and testing for efficacy. Companies that go without them risk heavy investigative and enforcement scrutiny by regulators and plaintiffs alike.
- Second, the ruling reinforces the notion that cybersecurity preparedness is an iterative and dynamic process requiring consistent, measurable progress toward a defensible regulatory and litigation posture. Companies are well-counseled not to rest on their laurels; what is a defensible posture today, may not be so tomorrow. Information security programs (including technical security tools) and incident response plans that are not adaptable (or adapted) to changing risk landscapes, attack vectors, third-party interplays, and other critical mesh points unique to each organization will not aid a company that comes under FTC scrutiny. Flexible processes that continuously map safeguards to key data assets, technical controls to key vulnerabilities, and remediation measures to experienced breach events, are critical.
- Third, the number and nature of security breach incidents not only may foretell regulatory scrutiny, but should be considered “notice” on the quality of the company’s cybersecurity measures and program. Companies that have experienced a breach should spend considerable time studying the incident to identify and develop remediation plans (physical, technical and administrative) to strengthen the company’s overall security posture and to reasonably prevent, or at least promptly detect, a subsequent breach marked by similar indicators of compromise or attacker tactics.
Stay tuned for Part 2 in our series for analysis of how Section 5’s prohibition on “deceptive” practices are intertwined and implicated in cybersecurity incidents and data breaches.