FTC Fines Can Add Salt to a Cybersecurity Wound

Cyberattacks are on the rise—so much that we seem to hear about a high-profile hack more often than it probably rains in most parts of California. Although reputational damage from a cyberattack can be scarring, a recent U.S. Third Circuit Court decision provides a reminder that the pain can come in many forms. In Federal Trade Commission v. Wyndham Worldwide Corp, the Court confirmed that the FTC can levy expensive fines on a business for failing to adequately protect consumer information. If there wasn’t sufficient reason before, the Third Circuit opinion should convince many who ignored cybersecurity to take a more proactive approach.

Regarding the Third Circuit case, the FTC brought suit against Wyndham Worldwide Corporation in response to hackers stealing data for over half-a-million consumers from Wyndham’s computer systems. Specifically, the FTC sued Wyndham for misrepresenting its cybersecurity practices and for failing to provide adequate cybersecurity measures. On appeal, Wyndham argued that (1) the FTC’s power to regulate “unfair business practices” did not include the power to regulate Wyndham’s cybersecurity practices and, (2) even if it did, the FTC’s prior publication of various consent decrees did not provide fair notice that its cybersecurity practices fell short of the law.

Not only did the Third Circuit find that the FTC could address cybersecurity practices as unfair business practices, but it also held that the FTC’s prior publication of consent decrees (in administrative cases which raised unfairness claims based on inadequate corporate cybersecurity) gave Wyndham more than enough notice that its cybersecurity practices were inadequate. Accordingly, the FTC need not necessarily define what constitutes adequate or inadequate cybersecurity by rule, regulation or guidance. Instead, it may provide sufficient notice of cybersecurity requirements through enforcement and publication thereof.

Thus, the case highlights the need for companies to keep abreast of FTC’s publications—not only for its rules, regulations and guidelines, but also for its latest settlements and consent orders. In addition, the case provides yet another reminder that companies should carefully craft and update their privacy policies so that the policies are not and do not become deceptive.