Legal Alert: FTC v. Wyndham: A Victory for the FTC and a Wake-Up Call for the Business Community
The Third Circuit’s opinion earlier this week in FTC v. Wyndham Worldwide Corp., (3d Cir. Aug. 24, 2015), has far reaching implications for all businesses around the country.
For several years, the FTC has been bringing administrative actions against companies following cybersecurity breaches. The actions often resulted in broad, onerous consent orders and significant penalties. The FTC brought an administrative action against Wyndham following three cyber attacks in 2008 and 2009, when the personal and financial information for hundreds of thousands of Wyndham customers was compromised. Wyndham challenged the FTC’s authority to bring the administrative action and alleged that the FTC had not promulgated sufficiently clear regulations to enforce.
In Wyndham, the Third Circuit: (a) confirmed the FTC’s authority under Section 5 of the Federal Trade Commission Act (15 U.S.C. §45(a)) to investigate and bring administrative actions against companies related to cybersecurity incidents; and (b) ruled that a company’s lax cybersecurity policies can be considered “unfair acts or practices affecting commerce.” The Third Circuit also noted that the FTC had published a guidebook in 2007, Protecting Personal Information: A Guide for Business, and had posted its administrative complaints and consent orders on the FTC website -- and that the guidebook and consent orders provided notice to Wyndham of appropriate practices expected by the FTC.
Three takeaways from the Third Circuit Opinion:
- The FTC’s authority on cybersecurity issues has been strongly solidified; for now, even if Wyndham appeals, expect the FTC to be emboldened and institute more administrative actions involving more cybersecurity incidents.
- The Opinion may spark Congress to act on several competing pieces of cybersecurity legislation that have been introduced in both the House and Senate. While there was bi-partisan support for passing cybersecurity legislation this year, progress was stalled in the spring. Efforts to pass comprehensive cybersecurity regulations – which may codify or reverse parts of the Opinion – may be renewed given the publicity of this decision.
- It is critical that every business conduct a cybersecurity analysis and have a cybersecurity plan. Cybersecurity plans are going to vary and should be scalable to the needs of individual businesses – but the underlying common purposes of the plan are twofold: (a) appropriately and reasonably protect data through risk assessment and risk mitigation; and (b) outline an incident response plan to enact when a data breach occurs. The Opinion is a tough read for businesses -- but is a good wake-up call to the regulatory repercussions of a cybersecurity breach and the failure to have a cybersecurity plan in place.
KMK’s Cybersecurity and Privacy Team advises clients in conducting cybersecurity analyses and drafting cybersecurity plans. Additional resources that will help you in this process:
- DOJ’s Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015)
- FTC’s Start With Security: A Guide To Business (June 2015), an update to the FTC’s Protecting Personal Information: A Guide For Business (June 2011) (Updated from 2007)
- Federal Trade Commission Website
- Cybersecurity 101 – 10 Simple Practice Pointers For Every Lawyer and Client, Joseph M. Callow, Jr., June 2015 CBA Report
- Federal Trade Commission’s Position As Cybersecurity Regulator Is Confirmed, Drew Hicks, Aug. 26, 2015, KMK Blog
- FCC v. Wyndham Worldwide Corp., (3d Cir. Aug. 24, 2015)
Joe Callow and Drew Hicks are Litigation Partners at KMK Law and members of the KMK Law Cybersecurity & Privacy Team, an inter-disciplinary team of attorneys who advise clients in areas related to protecting corporate data, preventing cyber breaches, and mitigating issues when they arise. To ensure you receive updates on cybersecurity-related legal issues, please subscribe to the KMK Law Cybersecurity & Privacy Blog. To subscribe, input your email address in the sidebar of the blog's webpage.
KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
©2015 Keating Muething & Klekamp PLL. All Rights Reserved.