Third Circuit

FTC and Wyndham Call a Truce

data breach

Following the Third Circuit’s ruling upholding the FTC’s authority to regulate unfair and deceptive cybersecurity practices under Section 5 of the FTC Act, Wyndham Worldwide Corporation and the FTC have agreed to settle.  This marks the end to a hotly-contested and closely-watched case at the cross-roads of data security and regulatory enforcement.

As reported in our previous posts on this topic, Wyndham experienced three breaches of its systems in 2008 and 2009 resulting in the exposure of approximately 619,000 consumers’ credit card numbers.  The FTC initiated an enforcement action in 2012 alleging that Wyndham engaged in unfair and deceptive cybersecurity practices in violation of Section 5 of the FTC Act.  The FTC asserted that Wyndham’s cybersecurity practices were deficient in myriad ways that placed consumer data at risk of theft, for example, by storing payment card information in clear text, using weak and default passwords across networks, failing to install or misconfiguring firewalls, failing to adequately restrict vendor access to corporate networks, and failing to follow appropriate incident response procedures after successive cyberattacks.

READ MORE

Third Circuit to Wyndham (Part II): “Deceptive” is also “Unfair” in the Cybersecurity Context

In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform.  In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.

The FTC has long applied its “deceptive acts” enforcement power to police representations, omissions or practices that are likely to mislead consumers acting reasonably under the circumstances, [1] and its “unfair acts” enforcement power to police acts that likely injure consumers, but which are not reasonably avoidable by the consumers themselves. [2] In the cybersecurity context, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corporation illustrates the “frequent overlap” between deception and unfairness by explicitly linking alleged overstatements in privacy policies to the question of whether security practices are unfair.  Accordingly, companies should exercise serious care in crafting representations in their privacy policies, terms of use, and other consumer-facing statements to validate that those statements closely conform to actual, internal business practices.

READ MORE