HackedUnfair methods and data breaches

The Third Circuit has ruled that exposing credit card information to hackers can count as an “unfair method[] of competition” under the Federal Trade Commission Act. Federal Trade Comm’n v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).

The decision opens the way for the FTC to seek injunctive and disgorgement remedies from companies whose cyber security measures fall short. It also has the collateral effect of bolstering consumer lawsuits for damages under the “Little FTC Acts” of California and 27 other states.

Any business that uses an online computer to store customer information should take notice.

The Wyndham case

The case arose from hackers’ breaches of Wyndham‘s computer network on three separate occasions in 2008 and 2009. Although the hotel-and-timeshare company had assured online customers that it used “industry standard” precautions against hacking, its measures in fact fell far short of the norm, the FTC alleged.

For one thing, the FTC complaint asserted, Wyndham did not encrypt its customers’ credit card and other information and instead stored it in “clear readable text.” Id. at 8. Wyndham also used “easily guessed passwords” such as “micros” to access a Micros Systems database. Id. Nor did it employ firewalls and other standard means for limiting access across computer systems. Id.

The deficiencies enabled hackers to penetrate Wyndham’s systems, steal credit card information for more than 619,000 customers, and inflict at last $10.6 million in “fraud loss”. Id. at 11.

The FTC brought the case in the District of New Jersey. Wyndham moved to dismiss it on the grounds that the FTC’s authority in section 5(a) of the FTC Act to halt “unfair methods of competition” did not extend to failing to prevent hacking attacks and that it did not have fair notice that its lax cyber security measures would expose it to liability under section 5(a). The district court denied the motion but certified its decision for appeal.

The stakes

The case drew the attention of several business groups. Like others that filed amicus briefs in support of reversal, the Chamber of Commerce asserted that allowing the district court’s ruling to stand would wreak havoc on businesses. “Permitting the FTC to proceed on a theory that suffering a data breach is an ‘unfair’ trade practice would expose most businesses in America to the potential for a government enforcement action whenever that business suffers a cyber attack or other incident that potentially compromises personal data.” Br. of Amici Curiae Chamber of Commerce, et al., at 5. Another set of amici claimed that the FTC had adopted “a radically expansive interpretation of its authority”. Br. of Washington Legal Foundation, et al., at 15.

Amici that favored the FTC’s position focused on the harm to consumers. The brief in which Public Citizen joined stressed that private tort suits arising from online data breaches “are difficult to bring” and that federal courts had not recognized a private remedy unless misuse of the consumers’ data had already occurred. Br. of Amici Curiae Public Citizen, et al., at 4-5. Public Citizen therefore contended that FTC enforcement actions “against companies that fail reasonably to protect their consumers’ information from misappropriation are currently the only effective means of redressing the unfair corporate practices that lead to corporate data breaches that cause substantial injuries to consumers.” Id. at 5.


The Third Circuit rejected Wyndham’s arguments. The company’s failings fell within the “plain meaning” of “unfair”, the panel ruled, not least due to the deceptiveness of its boast that it employed “industry standard” security techniques when in fact its methods fell well short of average protections. Wyndham, slip op. at 15-21.

Nor did Wyndham lack “fair notice” that its failure to take reasonable data security precautions could land it in a lawsuit under the FTC Act. The panel noted that in 2005 the FTC started bringing administrative actions over cyber security breaches and deemed them “unfair” practices, that the FTC issued a “Guide for Business” about safeguarding customer data, and that the FTC accused Wyndham of egregious lapses that occurred not once or twice but three times. Therefore, the court concluded, “we have little difficulty rejecting Wyndham’s fair notice claim.” Id. at 46.


If it survives motions for rehearing and an attempt to draw the Supreme Court’s interest, the decision in Wyndham clears the way for the FTC to bring more enforcement actions over breaches of cyber security. The FTC seems ready. Almost two years ago, the Agency “announced its 50th data-security settlement” since 2005. Br. for the FTC at 8. And the FTC’s chairwoman hailed the decision for affirming “critical” FTC authority to protect consumers. Online businesses may expect a vigorous enforcement effort going forward.

But what of private actions? They should get a boost too. Twenty-eight states — including California, Florida, and Illinois — have enacted Little FTC Acts in the years since Congress passed their federal forebear in 1914. Although these acts vary, they all aim at “unfair” acts or practices.

The bolstering of private suits will come in two forms:

(1) An FTC enforcement action may have preclusive effect in a private suit, see Federal Trade Comm’n v. Gugliuzza (In re Gugliuzza), 527 B.R. 370 (C.D. Cal. 2015) (holding that judgment for FTC precluded relitigation of section 5(a) issues that the judgment resolved), putting pressure on companies to resolve private cases, and

(2) Wyndham may prove influential to courts that consider data breach actions under Little FTC Acts, enhancing the likelihood of success in private actions.

Nor may an absence of current losses present an insurmountable obstacle to private claimants who wish to bring suit for damages under Little FTC Acts. The Seventh Circuit held in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, slip op. at 7 (7th Cir. July 20, 2015), that “identifiable costs associated with the process of sorting things out” and a “substantial risk” of harm from future “fraudulent charges and identity theft” supply enough of a current injury to support a data breach claim under state law. (For more on Remijas, see JOLT Digest.)

Businesses that deal with customers online face greater liability risks in the wake of Remijas and Wyndham. They should consider taking steps to review and, if appropriate, enhance their measures for cyber security.

Email this postShare this post on LinkedIn
Photo of Barry Barnett Barry Barnett

Clients and colleagues call Barry Barnett an “incredibly gifted lawyer” (Chambers and Partners) who is “magic in the courtroom” (Who’s Who Legal), “the top antitrust lawyer in Texas” (Chambers and Partners), and “a person of unquestioned integrity” (David J. Beck, founder of Beck…

Clients and colleagues call Barry Barnett an “incredibly gifted lawyer” (Chambers and Partners) who is “magic in the courtroom” (Who’s Who Legal), “the top antitrust lawyer in Texas” (Chambers and Partners), and “a person of unquestioned integrity” (David J. Beck, founder of Beck Redden).

Barnett is a Fellow in the American College of Trial Lawyers, and Lawdragon has named him one of the top 500 lawyers in the United States three years in a row. Best Lawyers in America has honored him as “Lawyer of the Year” for Bet-the-Company Litigation (2019 and 2017) and Patent Litigation (2020) in Houston. Based in Texas and New York, Barnett has tried complex business disputes across the United States.

Barnett’s background, training, and experience make him indispensable to his clients. The small-town son of a Texas roughneck and grandson of a Texas sharecropper, Barnett “developed an unusual common sense about people, their motivations, and their dilemmas,” according to former client Michael Lewis.

Barnett has been historically recognized for his effectiveness and judgment. His peers chose him, for example, to the American College of Trial Lawyers and American Law Institute. His decades of trial and appellate work representing both plaintiffs and defendants have made him a master strategist and nimble tactician in complex disputes.

Barnett focuses on enforcement of antitrust laws, the “Magna Carta of free enterprise,” in Supreme Court Justice Thurgood Marshall’s memorable phrase. “Barry is one of the nation’s outstanding antitrust lawyers,” according to Joseph Goldberg, a member of the Private Antitrust Enforcement Hall of Fame. Named among Texas’s top ten antitrust lawyers of 2023, Business Today calls Barnett a “trailblazer” among the “distinguished legal minds” who “dedicate their skill and expertise to the maintenance of healthy competition in various sectors” of the Lone Star State’s booming economy. Barnett is also adept in energy and intellectual property matters and has battled for clients against a Who’s Who list of corporate behemoths, including Abbott Labs, Alcoa, Apple, AT&T, BlackBerry, Broadcom, Comcast, Dow, JPMorgan Chase, Samsung, and Visa.

Barnett commands a courtroom with calm and credibility and “is the perfect lawyer for bet the company litigation,” said Scott Regan, General Counsel of former client Whiting Petroleum. His performance before the Supreme Court in Comcast Corp. v. Behrend prompted the Court to withdraw the question on which it had granted review. The judge in a trial involving mobile phone technology called Barnett “one of the best” and that his opening statement the finest he had ever seen. Another trial judge told Barnett minutes after a jury returned a favorable verdict against the county’s biggest employer that he was one of the two best trial lawyers he’d ever come across—adding that the other one was dead.

A versatile trial lawyer, Barnett knows how to handle a case all the way from strategic pre-suit planning to affirmance on appeal. He’s tried cases to verdict and then briefed and argued them when they went before appellate courts, including the Second, Third, Fifth, and Tenth Circuits, the Supreme Court of Louisiana, and (in the case of Comcast Corp. v. Behrend) the Supreme Court of the United States.

Barnett is a sought-after public speaker, often serving on panels and talking about topics like the trials of antitrust class actions and techniques for streamlining complex litigation. He also comments on trends in commercial litigation and the implications of major rulings for outlets such as NPR, Reuters, Law360, Corporate Counsel, and The Dallas Morning News. He’s even appeared in a Frontline program about underfunding of state pensions, authored chapters on “Fee Arrangements” and “Techniques for Expediting and Streamlining Litigation” (the latter with Steve Susman) in the ABA’s definitive treatise on Business and Commercial Litigation in Federal Courts, 5th, and commented on How Antitrust Enforcers Might Think Like Plaintiffs’ Lawyers.

Clients and other hard graders have praised Barnett for his courtroom skills and legal acumen.

A client in a $100 million oil and gas case, which Barnett’s team won at trial and held on appeal, said Barnett and his team “presented a rare combination of strong legal intellect, common sense about right and wrong, and credibility in the courtroom.” David McCombs at Haynes and Boone said Barnett “has a natural presence that goes over well with juries and judges.”

Even former adversaries give Barnett high marks. Lead opposing counsel in a decade-long antitrust slugfest said “Barry is a highly skilled advocate. He understands what really matters in telling a narrative and does so in a very compelling manner.”

Barnett relishes opportunities to collaborate with all kinds of people. At the Center for American and International Law (CAIL), founded by a former prosecutor at Nuremberg in 1947 and headquartered in the Dallas area, he has served on the Executive Committee, co-chaired the committee that produced CAIL’s first-ever strategic plan, supported CAIL’s Institute for Law Enforcement Administration and other development efforts, and proposed formation of a new Institute for Social Justice Law. CAIL’s former President David Beck said “Barry is extremely bright” and is “very well prepared in every lawsuit or professional task he undertakes.”

Barnett is also a Trustee of the New-York Historical Society, a Sterling Fellow at Yale, a member of the Yale University Art Gallery’s Governing Board, a winner of the Class Award for his work on behalf of his college class, and a proud contributor to the Yellow Ribbon Program at Harvard Law. Barnett’s pro bono work includes leading the trial team representing people who are at greatest risk of severe illness and death as a result of being exposed to the novel coronavirus SARS-CoV-2 while being detained in the Dallas County jail—work for which he received the NGAN Legal Advocacy Fund RBG Award.

At Susman Godfrey, Barnett has served on the firm’s Executive Committee, Employment Committee, and ad hoc committees on partner compensation, succession of leadership, and revision of the firm’s partnership agreement. He also twice chaired the Practice Development Committee.

Barnett understands that clients face many pressures. Managing the stress is important, especially in matters that take years to resolve. He encourages clients to call him whenever they have a question or concern and to keep the inevitable ups and downs in perspective. He wants them to know that he will do his level best to help them achieve their goals. He also strives to foster trust and to make working with him a pleasure.

Cyrus “Skip” Marter, the General Counsel of Bonanza Creek in Denver and a former Susman Godfrey partner and client, said Barnett is “excellent about communicating with clients in a full and honest manner” and can “negotiate for his clients from a position of strength, because he is not afraid to take a case through a full trial on the merits.” Stacey Doré, the President of Hunt Utility Services and a former client, said that Barnett is “an excellent trial lawyer and the person you want to hire for your bet-the-company cases. He is client focused, responsive, and uniquely savvy about trial and settlement strategy.” A New York colleague said, “Barry is a joy to work with as co-counsel. He tackles complex procedural and factual hurdles capably, efficiently, and without drama.”

Barnett’s wide-ranging experience and calm, down-to-earth approach enable him to connect with clients, judges, jurors, witnesses, and even opposing counsel. He grew up in Nacogdoches, Texas. He co-captained his high school varsity football team as an All-East Texas middle linebacker while also serving as the Editor of Key Club’s Texas-Oklahoma District, won the Best Typist award, took the History Team to glory, and sang in the East Texas All Region Choir. As Dan Kelly of client Vistra Corp. put it, Barnett is “a great person to be around.”

Barnett is steady and loyal. He has practiced at Susman Godfrey his entire career. He and his wife Nancy live in Dallas and enjoy spending time in Houston and New York. Their daughter works for H-E-B in Houston, and their son is a Haynes and Boone transactions lawyer in Dallas.

As a member of Ivy League championship football teams in his junior and senior years at Yale and a parent of two Yalies, Barnett has no trouble choosing sides for “The Game” in November. And he knows how important fighting all the way to the end is. On his last play from scrimmage, in the waning minutes of The Game on Nov. 22, 1980, he recovered a Crimson fumble.

Yale won, 14-0.