FTC Enforcement of Cybersecurity Standards
January 6, 2016
By: Ryan M. Tharp
Originally Published September 15, 2015
An August 2015 opinion by the federal Third Circuit Court of Appeals titled FTC v. Wyndham Worldwide Corp. and the December 2015 settlement between Wyndham and the FTC demonstrates that companies may have liability for unfair and deceptive trade practices if they do not take cybersecurity seriously or they misstate their cybersecurity practices. As part of the settlement of this case, Wyndham is required to implement a comprehensive information security program and report to the FTC on its compliance for the next 20 years.
After the FTC brought suit, Wyndham challenged the FTC’s authority over cybersecurity as it related to unfair trade practices (Wyndham did not challenge the FTC’s authority over the deceptive trade practices claims). In its opinion, the Third Circuit stated that the FTC had authority to sue companies for violations of unfair trade practices related to cybersecurity. The opinion does not mean that Wyndham necessarily engaged in unfair trade practices (that determination would have been made at trial had the parties not subsequently settled); rather, the opinion merely states that the FTC can sue companies for cybersecurity practices that may constitute unfair trade practices.
After the Third Circuit’s opinion, Wyndham and the FTC settled the case. As part of the settlement, Wyndham must implement a comprehensive information security program and is required to report on its compliance with the settlement agreement for the next 20 years. Wyndham was not required to pay any monetary penalty to the FTC. The settlement agreement lists specific actions that should be viewed as guidance on what the FTC currently considers reasonable for a comprehensive cybersecurity and information security program.
Why is this important?
If a company is not adequately addressing cybersecurity and information security, the FTC now has clear authority to sue that company for unfair and deceptive trade practices. The takeaway from the Wyndham case is that a company must take cybersecurity and information security seriously, and that means an ongoing commitment to ensure that consumers are not at risk of a substantial injury.
What are unfair and deceptive trade practices?
Unfair and deceptive trade practices deal with two separate types of conduct: (1) unfair trade practices and (2) deceptive trade practices. While these practices are related, they are treated separately.
- Unfair trade practices are practices that expose consumers to substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition. Fundamentally, this requires a cost-benefit analysis comparing the potential harm to consumers against the benefits to consumers and competition. Note that this definition only requires that a company expose consumers to a substantial injury – it does not require that the injury occur.
This Article is published for general information, not to provide specific legal advice. The application of any matter discussed in this article to anyone's particular situation requires knowledge and analysis of the specific facts involved.
Copyright © 2016 Fairfield and Woods, P.C. ALL RIGHTS RESERVED.