Insights

Today's Trends in Credit Regulation

Third Circuit Thwarts Challenge to FTC's Data Security Authority
By Rebecca E. Kuehn and Meghan S. Musselman

On August 24, 2014, the U.S. Court of Appeals for the Third Circuit rejected a challenge to the FTC's authority to bring cases based on allegedly poor data security practices. The court held in FTC v. Wyndham Worldwide Corporationthat the Federal Trade Commission ("FTC") can challenge Wyndham's data security practices under the unfairness prong of Section 5 of the FTC Act. Although the FTC has brought over 50 data security cases, many involving unfairness, this case marks the first time a court has opined on this issue because most of those actions settled out of court.

As alleged by the FTC, Wyndham, the owner of the well-known hotel brand, experienced three separate security breaches in 2008 and 2009. The breaches allegedly affected over 600,000 consumers and resulted in over $10 million in fraudulent charges. The FTC found that Wyndham's cybersecurity practices were lacking to such a degree that Wyndham "unreasonably and unnecessarily exposed consumer's personal data to unauthorized access and theft" and that Wyndham engaged in unfair practices in violation of Section 5.

Wyndham challenged the FTC's authority to regulate cybersecurity under Section 5 and further, argued that even if the FTC did have such authority, Wyndham did not have fair notice of the specific cybersecurity standards it was required to follow. The Third Circuit found that the FTC does have authority to challenge data security practices as "unfair" and that Wyndham had adequate notice of what would be required for its data security practices to survive an unfairness challenge.

In reaching its decision, the Third Circuit highlighted several issues that provide useful takeaways for industry:

Read FTC Complaints

The Third Circuit discussed prior FTC Complaints as potentially helpful guideposts in determining whether an entity's data security practices are sufficient. The Third Circuit even went so far as to include in its opinion a table, comparing the FTC's specific complaints against Wyndham to the FTC's 2006 complaint against CardSystems Solutions, Inc. Many of the complaints are virtually identical, including:

  • storing sensitive (e.g. payment card) information in clear, readable text
  • failure to monitor network for the malware used in a previous intrusion
  • failure to use strong passwords
  • did not use readily available security measures, like firewalls, to limit access between the company's network and the Internet
  • failed to employ reasonable measures to detect and prevent unauthorized access to computer network

The Third Circuit did not reach the question of whether these allegations were well-founded or would be sufficient to allow the FTC to prevail on its unfairness claim. However, companies would do well to review the FTC's data security complaints closely and make sure their own data security practices past muster. The FTC's new business publication, Start with Security: A Guide for Businesses, summarizes the lessons learned from the FTC's cases.

Employ A Cost-Benefit Analysis

The Third Circuit said that the relevant standard for purposes of Section 5 is a cost-benefit analysis. In assessing and developing data security practices, companies should consider the likelihood and severity of potential consumer harm, and balance that against the costs of investing in stronger data security.

Identify and Remediate Vulnerabilities

Wyndham experienced three security breaches within a two-year time frame. The third breach was the result of the same vulnerability that caused the second breach. In other words, had Wyndham addressed the issue that caused the second breach, the third breach would not have happened. If a company becomes aware of a vulnerability - whether due to a breach or otherwise - it should be remediated as quickly as possible.

Rebecca E. Kuehn is a partner in the Washington, D.C., office of Hudson Cook, LLP. Becki can be reached at 202-715-2008 or by email at rkuehn@hudco.com.

Meghan S. Musselman is a partner in the Maryland office of Hudson Cook, LLP. Meghan can be reached at 410-865-5403 or by email at mmusselman@hudco.com.

Article Archive

2018   2017   2016   2015   2014   2013   2012   2011   2010   2009