HackedUnfair methods and data breaches

The Third Circuit has ruled that exposing credit card information to hackers can count as an “unfair method[] of competition” under the Federal Trade Commission Act. Federal Trade Comm’n v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015).

The decision opens the way for the FTC to seek injunctive and disgorgement remedies from companies whose cyber security measures fall short. It also has the collateral effect of bolstering consumer lawsuits for damages under the “Little FTC Acts” of California and 27 other states.

Any business that uses an online computer to store customer information should take notice.

The Wyndham case

The case arose from hackers’ breaches of Wyndham‘s computer network on three separate occasions in 2008 and 2009. Although the hotel-and-timeshare company had assured online customers that it used “industry standard” precautions against hacking, its measures in fact fell far short of the norm, the FTC alleged.

For one thing, the FTC complaint asserted, Wyndham did not encrypt its customers’ credit card and other information and instead stored it in “clear readable text.” Id. at 8. Wyndham also used “easily guessed passwords” such as “micros” to access a Micros Systems database. Id. Nor did it employ firewalls and other standard means for limiting access across computer systems. Id.

The deficiencies enabled hackers to penetrate Wyndham’s systems, steal credit card information for more than 619,000 customers, and inflict at last $10.6 million in “fraud loss”. Id. at 11.

The FTC brought the case in the District of New Jersey. Wyndham moved to dismiss it on the grounds that the FTC’s authority in section 5(a) of the FTC Act to halt “unfair methods of competition” did not extend to failing to prevent hacking attacks and that it did not have fair notice that its lax cyber security measures would expose it to liability under section 5(a). The district court denied the motion but certified its decision for appeal.

The stakes

The case drew the attention of several business groups. Like others that filed amicus briefs in support of reversal, the Chamber of Commerce asserted that allowing the district court’s ruling to stand would wreak havoc on businesses. “Permitting the FTC to proceed on a theory that suffering a data breach is an ‘unfair’ trade practice would expose most businesses in America to the potential for a government enforcement action whenever that business suffers a cyber attack or other incident that potentially compromises personal data.” Br. of Amici Curiae Chamber of Commerce, et al., at 5. Another set of amici claimed that the FTC had adopted “a radically expansive interpretation of its authority”. Br. of Washington Legal Foundation, et al., at 15.

Amici that favored the FTC’s position focused on the harm to consumers. The brief in which Public Citizen joined stressed that private tort suits arising from online data breaches “are difficult to bring” and that federal courts had not recognized a private remedy unless misuse of the consumers’ data had already occurred. Br. of Amici Curiae Public Citizen, et al., at 4-5. Public Citizen therefore contended that FTC enforcement actions “against companies that fail reasonably to protect their consumers’ information from misappropriation are currently the only effective means of redressing the unfair corporate practices that lead to corporate data breaches that cause substantial injuries to consumers.” Id. at 5.

Decision

The Third Circuit rejected Wyndham’s arguments. The company’s failings fell within the “plain meaning” of “unfair”, the panel ruled, not least due to the deceptiveness of its boast that it employed “industry standard” security techniques when in fact its methods fell well short of average protections. Wyndham, slip op. at 15-21.

Nor did Wyndham lack “fair notice” that its failure to take reasonable data security precautions could land it in a lawsuit under the FTC Act. The panel noted that in 2005 the FTC started bringing administrative actions over cyber security breaches and deemed them “unfair” practices, that the FTC issued a “Guide for Business” about safeguarding customer data, and that the FTC accused Wyndham of egregious lapses that occurred not once or twice but three times. Therefore, the court concluded, “we have little difficulty rejecting Wyndham’s fair notice claim.” Id. at 46.

Implications

If it survives motions for rehearing and an attempt to draw the Supreme Court’s interest, the decision in Wyndham clears the way for the FTC to bring more enforcement actions over breaches of cyber security. The FTC seems ready. Almost two years ago, the Agency “announced its 50th data-security settlement” since 2005. Br. for the FTC at 8. And the FTC’s chairwoman hailed the decision for affirming “critical” FTC authority to protect consumers. Online businesses may expect a vigorous enforcement effort going forward.

But what of private actions? They should get a boost too. Twenty-eight states — including California, Florida, and Illinois — have enacted Little FTC Acts in the years since Congress passed their federal forebear in 1914. Although these acts vary, they all aim at “unfair” acts or practices.

The bolstering of private suits will come in two forms:

(1) An FTC enforcement action may have preclusive effect in a private suit, see Federal Trade Comm’n v. Gugliuzza (In re Gugliuzza), 527 B.R. 370 (C.D. Cal. 2015) (holding that judgment for FTC precluded relitigation of section 5(a) issues that the judgment resolved), putting pressure on companies to resolve private cases, and

(2) Wyndham may prove influential to courts that consider data breach actions under Little FTC Acts, enhancing the likelihood of success in private actions.

Nor may an absence of current losses present an insurmountable obstacle to private claimants who wish to bring suit for damages under Little FTC Acts. The Seventh Circuit held in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, slip op. at 7 (7th Cir. July 20, 2015), that “identifiable costs associated with the process of sorting things out” and a “substantial risk” of harm from future “fraudulent charges and identity theft” supply enough of a current injury to support a data breach claim under state law. (For more on Remijas, see JOLT Digest.)

Businesses that deal with customers online face greater liability risks in the wake of Remijas and Wyndham. They should consider taking steps to review and, if appropriate, enhance their measures for cyber security.