Recently, the U.S. Court of Appeals for the Third Circuit ruled that the Federal Trade Commission (FTC) may pursue a lawsuit against Wyndham Worldwide Corporation, a hotel and time share operator for “unfair and deceptive” cybersecurity practices. In its complaint, the FTC alleged that Wyndham “unreasonably and unnecessarily” exposed consumers’ personal data in more than 600,000 payment card accounts, resulting in 3 data breaches in 2008 and 2009. According to the FTC, these data breaches resulted in approximately $10.6 million in fraudulent charges and constitute a violation of the “unfair and deceptive practices” prongs of Section 5 of the FTC Act (15 U.S.C. §45). Section 5(a) of the FTC Act prohibits unfair or deceptive acts or practices (UDAP) in or affecting commerce and this standard applies to any person or entity doing business. While the FTC has no direct enforcement authority over banks, the bank regulatory agencies and the CFPB have authority to enforce the UDAP rules, as expanded by Section 1031 of the Dodd Frank Act to include “abusive acts and practices”, against banks and other institutions providing consumer financial products (UDAAP).
Getting Hacked May Mean a UDAP?
According to the FTC complaint, Wyndham failed to follow its own data security protocol by committing the following data security errors:
- Stored customer’s payment card information in clear, readable text
- Used easily guessed passwords to access the company’s property management systems.
- Failed to use “readily available security measures” such as firewalls to limit access to the company’s systems, its corporate network and the Internet.
- Maintained permissive networking protocols, including non-updated security programs and inadequate password protection.
- Failed to comply with its own policies and procedures, which claimed that the company safeguards customer data “using industry standard practices.”
- Allowed third party vendors easy access to networks and servers.
Significance of the Third Circuit Ruling
Wyndham challenged the FTC authority to enforce cybersecurity practices and sought to dismiss the suit on grounds that its conduct does not meet the definition of “unfair” or “deceptive” and that the FTC cybersecurity rules were too vague. The Third Circuit ruled, however, that the FTC’ has authority over unfair acts or practices that cause or are likely to cause substantial injury to consumers, are not reasonably avoidable by consumers themselves, and are not outweighed by countervailing benefits to consumers or to competition. In addition, the court ruled that Wyndham had had adequate notice that its conduct might give rise to liability in light of the FTC’s publicly available data security guidance and earlier enforcement actions, and because Wyndham had been repeatedly hacked.
The Third Circuit’s ruling constitutes a significant victory for the FTC for two reasons. First, the ruling allows the FTC to regulate data security without being formally required to issue rules and regulations detailing data security practices that are considered “reasonable” in the eyes of the agency. Second, the ruling gives the FTC the ability to use Section 5 of the FTC Act to pursue lax data-security practices, similar to the method by which the CFPB uses UDAAP in the Dodd Frank Act, based on ad hoc government interpretations of what is “unfair, deceptive or abusive” to a customer. Companies will be required to track FTC guidance, complaints, enforcement actions, and adjudications in order to get a sense of what things they need to do to comply from a compliance standpoint.
Banks and financial institutions should take notice of this ruling since cybersecurity is a dominant focus of its own regulators. As many of our clients know, the challenge of UDAP/UDAAP compliance is that the standards are difficult to pin down and inherently flexible. Federal agencies have raised UDAP/UDAAP claims even if a company is not directly covered or exempt from a financial services law (e.g. Fair Debt Collections Practices Act). Businesses should work with counsel to review their data-security protocols and operational policies and procedures to ensure compliance in light of this potential new avenue of liability.