Cybersecurity Breaches May Result in Liability for “Unfair or Deceptive Acts or Practices” Under the FTC Act

geralt [Public domain, CC0 1.0 (], via PixabayCybersecurity is a critically important part of nearly every business operating today. Data breaches that compromise customers’ personal information, such as names, addresses, and credit card numbers, can result in huge losses due to identity theft and other types of fraud. If the Federal Trade Commission (FTC) concludes that a business failed to take adequate measures to protect its data, it can bring an enforcement action for “unfair or deceptive acts or practices in or affecting commerce” under Section 5 of the FTC Act, 15 U.S.C. § 45. The Third Circuit Court of Appeals recently ruled in the FTC’s favor in a case involving the theft of more than 619,000 customers’ credit card information by hackers. FTC v. Wyndham Worldwide Corp., No. 14-3514, slip op. (3rd Cir., Aug. 24, 2015). The court did not rule on the merits of the FTC’s claim. It merely found that the FTC has authority to pursue the claim under Section 5.

According to the court’s ruling, the FTC began enforcing Section 5 “against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers” in 2005. Id. at 6. The defendant, which manages hotels directly and franchises its brand to independent hotels, experienced three cybersecurity breaches in 2008 and 2009. The theft of customer financial data resulted in fraudulent credit card charges exceeding $10.6 million. The defendant uses a “property management system” to process customer information, including names, addresses, and credit card information. Id. at 7. It requires franchisees to use the same system, configured to certain specifications.

The FTC’s lawsuit alleged numerous deficiencies in the defendant’s cybersecurity measures, including inadequate supervision of franchisees’ use of the property management system; use of “easily guessed passwords [by franchisees] to access the property management systems,” id. at 8; lack of firewalls and other common cybersecurity tools; failure to restrict access to its network by third-party vendors; the ability of franchisees to connect their networks to its central network without security; and failure to monitor its networks for intrusions, even after the first and second breaches. These acts and omissions, the FTC claimed, constituted “unfair” practices under the FTC Act. 15 U.S.C. § 45(a)(1).

After the district court denied the defendant’s motion to dismiss, the defendant appealed to the Third Circuit. The appellate court addressed whether the FTC has authority under Section 5 to regulate cybersecurity, and whether the defendant had adequate notice of its obligation. With regard to the defendant’s fair notice claim, the court had “little trouble rejecting” it. Wyndham, slip op. at 46.

The court reviewed the history of the FTC Act, which first became law in 1914, in deciding the question of authority. The FTC issued a “Statement of Basis and Purpose” in connection with its regulation of cigarette advertising in 1964 that established three factors to consider in determining whether the FTC had authority to regulate something under Section 5. It issued a revised statement in 1980, which Congress codified in 1994 at 15 U.S.C. § 45(n). The FTC may regulate a practice if it finds that a “substantial injury” is likely to affect consumers, cannot be reasonably avoided by consumers, and is not “outweighed by countervailing benefits to consumers or to competition.” The court essentially found that cybersecurity meets these three factors. It affirmed the district court’s order and remanded the case.

Business formation lawyer Samuel C. Berger represents businesses, business owners, and entrepreneurs in New York and New Jersey. We offer fixed-fee legal-service packages that cover a wide range of legal matters in order to help our clients thrive. Contact us online or at (212) 380-8117 today to schedule a confidential consultation with an experienced and knowledgeable business advocate.

More Blog Posts:

Protecting Your New York or New Jersey Business from Data Breaches, and the Liability Associated with Data Breaches, New York & New Jersey Business Lawyer Blog, June 4, 2015

New Jersey Insurance Company Not Liable to Members for Data Breach, Court Rules, New York & New Jersey Business Lawyer Blog, April 16, 2015

Are Web-Based Businesses “Public Accommodations” Under the ADA? New York & New Jersey Business Lawyer Blog, April 2, 2015

Photo credit: geralt [Public domain, CC0 1.0], via Pixabay.