Third Circuit Affirms FTC’s Authority Over Companies’ Cybersecurity Practices

August 25, 2015

In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.

In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards. After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.” The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices. On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.

This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act. Since 2005, the FTC has settled 53 cases against companies related to data security. Wyndham is one of two companies to challenge the FTC’s authority in this area. The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.

To continue reading our Alert on this topic, please click here.