by Daniel J. Solove
The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015). The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.
Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security. Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” Deception and unfairness are two independent bases for FTC enforcement. During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled. Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.
Among the arguments made by Wyndham, three are most worth focusing on:
(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.
(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.
(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.
The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals. Here is a very brief overview of the 3rd Circuit’s reasoning.
FTC Authority to Regulate Data Security
On the first argument above, the court noted: “Wyndham does not argue that recent privacy laws contradict reading corporate cybersecurity into § 45(a). Instead, it merely asserts that Congress had no reason to enact them if the FTC could already regulate cybersecurity through that provision.” The court then disagreed with this argument, holding that the FTC can regulate data security through Section 5. The court examined several statutes granting the FTC authority to regulate data security and distinguished the powers granted in these statutes from the powers the FTC has under Section 5. Accordingly, the court concluded, “none of the recent privacy legislation was ‘inexplicable’ if the FTC already had some authority to regulate corporate cybersecurity through § 45(a).”
Wyndham argued that FTC unfairness enforcement fails to provide fair notice. Under the Due Process Clause of the U.S. Constitution, due process is violated if regulation “fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.” The 3rd Circuit noted that the standard is “especially lax for civil statutes that regulate economic activities. For those statutes, a party lacks fair notice when the relevant standard is so vague as to be no rule or standard at all.'” The 3rd Circuit concluded:
We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a). Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute. If later proceedings in this case develop such that the proper resolution is to defer to an agency interpretation that gives rise to Wyndham’s liability, we leave to that time a fuller exploration of the level of notice required. For now, however, it is enough to say that we accept Wyndham’s forceful contention that we are interpreting the FTC Act (as the District Court did). As a necessary consequence, Wyndham is only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute.
The court went on to note that although “there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold,” due process doesn’t require laser-sharp precision: “But under a due process analysis a company is not entitled to such precision as would eliminate all close calls. Fair notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”
Professor Hartzog and I have argued that the FTC’s complaints and consent degrees act as a quasi-common law and can be looked at to provide guidance about the security standards companies should follow. The court reached a similar conclusion:
Before the attacks, the FTC also filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity. The agency published these materials on its website and provided notice of proposed consent orders in the Federal Register. Wyndham responds that the complaints cannot satisfy fair notice principles because they are not “adjudications on the merits.” But even where the “ascertainable certainty” standard applies to fair notice claims, courts regularly consider materials that are neither regulations nor “adjudications on the merits.”
In a chart, the 3rd Circuit then pointed to five prior FTC cases that were relevant to the security issues in Wyndham.
On the argument about lack of injury, the 3rd Circuit held in an important passage:
Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n.45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); Westfarm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir. 1995) (“Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”). For good reason, Wyndham does not argue that the cybersecurity intrusions were unforeseeable. That would be particularly implausible as to the second and third [hacking] attacks [that Wyndham experienced].
I want to reiterate one great line in the passage above — “And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” This line is key, as “actual injury” (or harm) is often a basis for many courts to dismiss privacy and data security cases. The court makes clear here that “substantial injury” for FTC Act unfairness does not require actual injury. The FTC Act protects consumers against reasonably foreseeable harms when a company’s conduct facilitates these harms — even when a company’s conduct might not be “the most proximate cause of an injury.”
This is a very important case. The FTC achieved a huge win in this case, preserving its power to regulate data security (and privacy by implication). The FTC strengthened its power, as its victory in this case was a strong one, making clear that the FTC has broad authority to enforce to protect data security. As Woodrow Hartzog and I have argued, we believe that the FTC has significantly broad authority to regulate privacy and data security and that it should be flexing its enforcement muscles even more.
More on the FTC and Privacy and Data Security
Professor Woodrow Harzog and I have been writing extensively on the FTC. Here is a list of some of our work if you’re interested:
Law Review Articles
Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 583 (2014)
Woodrow Hartzog & Daniel J. Solove, The Scope and Potential of FTC Data Protection, 83 George Washington Law Review (forthcoming 2015)
Woodrow Hartzog & Daniel J. Solove, The FTC as Data Security Regulator: FTC v. Wyndham and Its Implications, 13 Bloomberg BNA Privacy & Security Law Reporter 621 (April 14, 2014)
Daniel J. Solove & Woodrow Hartzog, The FTC and Privacy and Data Security Duties in the Cloud, 13 Bloomberg BNA Privacy & Security Law Reporter 577 (April 7, 2014)
Daniel J. Solove & Woodrow Hartzog, Should the FTC Kill the Password? The Case for Better Authentication, 14 Bloomberg BNA Privacy & Security Law Report 1353 (July 27, 2015)
Daniel J. Solove & Woodrow Hartzog, Should the FTC Kill the Password? The Case for Better Authentication (August 6, 2015)
Daniel J. Solove & Woodrow Hartzog, Should the FTC Be Regulating Privacy and Data Security? (Nov. 14, 2014)
Daniel J. Solove & Woodrow Hartzog, Snapchat and FTC Privacy and Security Consent Orders (May 19, 2014)
Daniel J. Solove & Woodrow Hartzog, 5 Key Quotes from the FTC v. Wyndham Decision on Data Security (April 22, 2014)
I also recently gave a webinar called Understanding the FTC on Privacy and Security based on my work with Woodrow.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.