As we have previously reported, the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide held that Section 45(a) of the Federal Trade Commission (“FTC”) Act permitted the FTC to prosecute civil actions for cyber security breaches arising out of or related to “unfair” or “deceptive” practices. However, on appeal, the United States Court of Appeal for the Third Circuit found data controllers and processors who fail to live up to their privacy statements fall under the purview of the FTC.
By way of refresher, the case below in Wyndham pitted the FTC against the international hospitality corporation, and stemmed from a string of cyber-attacks that compromised more than 619,000 consumer payment account numbers and resulted in $10.6 million in fraudulent charges. In light of the magnitude of the data breach, the FTC commenced its own suit against Wyndham arguing that violations of the company’s own privacy statement constituted “unfair” or “deceptive” trade practices that the FTC is empowered to curtail through civil enforcement. Wyndham responded to the FTC’s claims by filing a motion to dismiss that was ultimately denied by Judge Esther Salas.
On appeal, Wyndham’s attack on the trial court decision was simple: the FTC is only empowered to sue corporations for “unfair” or “deceptive” trade practices that are “unscrupulous” or “unethical”, and any civil action alleging conduct short of that is outside Section 45(a). Despite this articulation of the scope of the FTC Act, the Third Circuit reasoned that Section 45(a) instead applies wherever corporate conduct is inequitable and, in respect of data privacy breaches, can warrant prosecution when “a company . . . publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Moreover, even if the privacy issues arise out of a criminal act (as most, if not all, do), the Court concluded that this interpretation of Section 45(a) is supported by the foreseeability of a data breach affecting personal financial information.
While Wyndham is a watershed case for the federal government’s enforcement of citizens’ data privacy rights, the real question posed by the defendant is whether such an action can survive the conspicuous absence of uniform data privacy laws or regulations in the United States. For our part, however, the reasoning in Wyndham is at least clear insofar as federal courts need not entertain the lack of a national or state data privacy regime when analyzing third-party liability if, in fact, the data controller or processor at issue publishes its own privacy statement or protocol. Thanks to Adam Gomez for his contribution to this post. Please email Brian Gibbons with any questions.