Third Circuit to Wyndham (Part II): “Deceptive” is also “Unfair” in the Cybersecurity Context

In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform.  In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.

The FTC has long applied its “deceptive acts” enforcement power to police representations, omissions or practices that are likely to mislead consumers acting reasonably under the circumstances, [1] and its “unfair acts” enforcement power to police acts that likely injure consumers, but which are not reasonably avoidable by the consumers themselves. [2] In the cybersecurity context, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corporation illustrates the “frequent overlap” between deception and unfairness by explicitly linking alleged overstatements in privacy policies to the question of whether security practices are unfair.  Accordingly, companies should exercise serious care in crafting representations in their privacy policies, terms of use, and other consumer-facing statements to validate that those statements closely conform to actual, internal business practices.

Background

As we reported last time, on three separate occasions in 2008 and 2009, hackers allegedly accessed and ex-filtrated payment card information belonging to over 619,000 of Wyndham’s guests (reportedly causing some $10.6 million in fraudulent charges) from its corporate network and certain of its independently-owned hotels’ property management systems.

The FTC brought a an enforcement action under the unfairness prong of Section 5 of the FTC Act, alleging that Wyndham’s data security practices “unreasonably and unnecessarily” exposed consumers’ personal data to unauthorized access and theft.  (See our discussion in Part I).  The FTC complaint also raised a deception claim against Wyndham for misleading statements in its online privacy policies going back to at least 2008.  The statements at issue included representations by Wyndham that it protected customer information through “industry standard practices” and “commercially reasonable efforts,” such as “128-bit encryption,” “fire walls” and “other appropriate safeguards.”  According to the FTC, however, Wyndham failed to use encryption, firewalls, and a host of other allegedly commercially reasonable methods to secure consumer data.  The District Court allowed the FTC’s deception claim, together with its unfairness claim, to proceed past Wyndham’s motion to dismiss.

Privacy Policy “Directly Relevant” to Unfair Cybersecurity Practices

Although the FTC’s claims of deceptive practices were not directly considered on appeal, Wyndham’s allegedly deceptive privacy policy statements emerged as a critical factor in affirming the District Court’s denial of the company’s attempt to dismiss the unfairness claims. [3]

First, the Third Circuit turned Wyndham’s own argument against it when the company asserted that conduct is only “unfair” if it is “not equitable” or “marked by injustice, partiality, or deception.”  The Court roundly rejected Wyndham’s position, noting that a company does not act equitably when it “publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

Second, the Court observed that the FTC Act provides for a cost-benefit framework where unfair practices consist of those (i) that are likely to cause substantial injury, (ii) that are not reasonably avoidable by consumers themselves, and (iii) not outweighed by countervailing benefits.  It then credited the FTC’s argument that “consumers could not reasonably avoid injury by booking with another hotel chain because Wyndham had published a misleading privacy policy that overstated its cybersecurity.”  Finding it plausible – at the motion to dismiss at this stage in the litigation – that consumers were misled by Wyndham’s privacy policy, the Third Circuit deemed the policy “directly relevant” to whether the company’s conduct was unfair.

Conclusion

There is nothing new about the FTC use of Section 5 to police misrepresentations or omissions in consumer-facing statements.  Deception claims are standard fare in the 50+ cybersecurity consent decrees that the FTC has obtained to date, as well as in hundreds of other FTC consumer protection actions, most notably in the advertising and marketing context.  A recent example is the FTC’s motion for contempt filed against LifeLock for failing to comply with its 2010 consent decree with the FTC and 35 State Attorneys General.  Among the alleged violations were misrepresentations that the company protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received indications of problems, and a failure to have maintained a comprehensive information security program to protect customers’ personal information.

The Third Circuit’s opinion is a clear message that companies should expect that their consumer-facing statements (e.g., privacy policies, terms of use, advertisements, etc.) will be tested for both accuracy and fairness.  Companies should be on alert to immediately consider the following:

  • What (and how much) should you publicly state about security?  Decide whether detailed statements about your plans, protocols, processes and tools are necessary and generate business value.  Avoid overstating your security practices, or implying that a high level of security is applied across the board, when in fact it is applied only to certain portions of the data set.  Be thoughtful about the fine line betweentransparency that informs customers on the ways in which you collect, use, share, store and transfer data, and vague language or catch phrases, such as “industry standard security,” “bank-level encryption” or “we do everything we can do to secure your data” that can land a company in hot water.
  • How (and how often) do you test your public statements?  All consumer-facing representations should be audited no less than twice per year.  Reviews should be accelerated as part of privacy-by-design processes any time new products or services will be deployed.  And always include the IT/InfoSec team in reviewing and approving all security-related statements together with the privacy and legal team.
  • Are reasonable security disclaimers appropriate?  Given the constantly shifting cyber threat landscape, virtually any assurance regarding security is susceptible to scrutiny.  This is why many companies include blanket disclaimers informing consumers that security measures may change, be unavailable from time to time, or even circumvented by sophisticated actors (e.g., “We cannot guarantee 100% security, and no security is fail proof”).  Competent judgment is required to strike a thoughtful balance: any legal benefits that disclaimer language may provide should be weighed against the PR/business impact of being viewed as shifting risk to the consumer.
    ________________________________________
    [1]  See FTC Policy Statement on Deception, appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984).
    [2] See 15 U.S.C. § 45(n).
    [3] As support for the proposition that it could not completely “disentangle” the FTC’s deception and unfairness theories, the Third Circuit cited to a string of administrative decisions in which the FTC has “described deception as a subset of unfairness.”