On August 24, the Third Circuit Court of Appeals affirmed the authority of the Federal Trade Commission to bring cases against companies that experience a data breach.

The Third Circuit Court of Appeals ruled the FTC could proceed with a lawsuit alleging that the hotel chain Wyndham Worldwide Corp. violated the unfairness and deception prong of Section 5 of the FTC Act by failing to maintain reasonable and appropriate security measures.  According to the FTC, Wyndham’s security failures allegedly led to at least three data breaches between April 2008 and January 2010, exposing more than 600,000 consumer payment card account numbers and leading to more than $10.6 million in fraud loss.

In the past decade, the FTC has initiated more than fifty data security enforcement actions based on its authority to take action against unfair and deceptive business practices.  Wyndham chose to contest the FTC’s case, arguing that Congress never intended for the FTC to use its unfairness authority to police such practices.

Wyndham argued the FTC action constituted government overreach in which the Commission was seeking to hold businesses, rather than hackers, responsible for cybertheft.  In describing the lawsuit, the company used the analogy of the FTC suing a supermarket that was sloppy about sweeping up banana peels.

A Third Circuit three-judge panel rejected Wyndham’s arguments in a unanimous ruling.  Judge Thomas Ambro, writing for the court, wrote that Wyndham’s argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

The panel also rejected Wyndham’s argument that the FTC had not provided companies with guidance on what cybersecurity measures it considers reasonable and appropriate.  Judge Ambro dismissed this claim as “even weaker” because Wyndham had been hacked three times.  “At least after the second attack, it should have been painfully clear to Wyndham” that a court could find its conduct potentially problematic, the Court wrote.

In recent years, the FTC and state attorneys general have investigated and brought enforcement actions against a number of companies that experienced data breaches.  These actions are most often based on claims of “unfairness,” asserting that, even in the absence of actual deception, failure to adequately protect consumer data is an “unfair trade practice.”  Today’s ruling upholds at least the FTC’s authority to bring such actions.

Troutman Sanders’ Privacy and Data Security practice is a multi-disciplinary group of experienced lawyers who regularly advise on all aspects of privacy and data security.