Court of Appeals Raises Doubts about the FTC's Cybersecurity Approach in Wyndham
After a series of Russian cyber-attacks on Wyndham-affiliated hotels, the Federal Trade Commission (FTC or Commission) sued various Wyndham entities, claiming that their allegedly deficient data security practices violated Section 5(a) of the Federal Trade Commission Act (FTC Act), which prohibits "unfair or deceptive acts or practices." Wyndham fought back, and now the FTC's action is being reviewed by the U.S. Court of Appeals for the Third Circuit, in FTC v. Wyndham, No. 14-3514. The fundamental issue raised is whether, in the absence of regulations or applicable security standards, the FTC is empowered to police the general data security practices of American businesses by bringing enforcement actions after a breach.
The appeals court is reviewing a District Court decision that sustained the FTC's approach. Briefing has been extensive, with numerous amicus briefs submitted. Recent supplemental briefing signals court skepticism about the FTC's approach. But the agency remains committed to its enforcement, warning corporate general counsels to be vigilant and heed the FTC's guidance.
Third Circuit Skepticism
Shortly before oral argument, the Third Circuit asked the attorneys to address supplemental questions. These questions signal some skepticism about the FTC's approach and potential discomfort with courts being asked to assess the substantive reasonableness of corporate data security practices. The court posed two questions concerning the FTC's authority over unfair cybersecurity practices:
(1) Has the FTC previously determined that unreasonable cybersecurity practices are "unfair," using the procedures of the FTC Act; and,
(2) Assuming it has not, "is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are 'unfair' in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)?"
With these questions, the court asks the FTC to defend its choice to police cybersecurity through case-by-case adjudication in federal court, rather than through regulatory methods like agency adjudication. Section 13(b) of the FTC Act permits the FTC to seek preliminary and permanent injunctions in federal court, and the FTC has chosen federal court action here to take advantage of the additional remedies available, including equitable monetary remedies, such as disgorgement or restitution. At oral argument, the court asked counsel to file supplemental briefing on these questions. Those briefs shed light on the dispute and the FTC's position.
The FTC's "Previous Determinations"
With respect to the Third Circuit's first question-whether the FTC has found unreasonable cybersecurity practices to be unfair under the FTC Act's procedures-the parties strongly disagree. Not surprisingly, the FTC argues that it previously has adequately addressed and provided guidance about the agency's expectations. The FTC cites its order refusing to dismiss the pending LabMD administrative enforcement proceeding, the fact that it has voted to issue over 20 complaints for inadequate data protection as unfair practices, the Commission's guidance documents, and its prior testimony before Congress on inadequate data security. The FTC recognized that complaints are not binding precedent, but noted that complaints have value as reasoned guidance.
In contrast, Wyndham's supplemental brief argues that the "the FTC has not declared unreasonable cybersecurity practices 'unfair' through the procedures in the FTC Act, 15 U.S.C. §§ 41-58." Wyndham argues that the Commission's order in LabMD was not a final order and the Commission "cannot transform complaints and consent decrees into rules and adjudications." Citing the court's statements from oral argument, Wyndham pointed out that "the FTC has never directed the public to look to complaints or consent decrees for guidance, and those are not the typical sources which counsel would turn in advising clients." For these reasons, Wyndham argues that its earlier practices have not and cannot be deemed "unfair" under the FTC Act.
Appropriateness of this Judicial Review
Confronted with the Court's skepticism about the use of federal court rather than agency procedure, both the FTC and Wyndham agree that the court need not address the question of whether this case is properly before a federal court. Both parties are committed to having a federal court decide the issues, for different reasons.
The FTC seeks to preserve a procedural vehicle for litigating its cases, and vigorously defends its authority to choose its forum. It argues that Congress permits the FTC to enforce the FTC Act through either administrative procedures or litigating in federal courts under Section 13(b). The FTC claims broad discretion to determine which cases are suited for federal court versus those that should go through the administrative process. The FTC emphasizes that federal district courts are amply equipped to handle this sort of case, as the questions presented are not more difficult than others addressed by the courts, and Section 13(b) has been applied to many complex and "non-routine" cases like the dispute here.
Wyndham likewise desires to have its day in court, or at least to avoid the FTC's adjudicative process. Wyndham agrees that the Third Circuit need not address the jurisdiction question, arguing that the issue was not raised by either party, the FTC's authority under Section 13(b) is not jurisdictional here, and that finding against the FTC on this issue would create a circuit conflict. But if the court were inclined to find a procedural problem with the FTC's unfairness claim, Wyndham urges the court to hold the FTC to its choice of litigation strategy. As Wyndham describes it, the FTC traded a favorable forum-its own administrative law judges, more favorable rules, and Commission review of the decision-for broader potential remedies in the form of monetary penalties.
In urging the Court to bring some closure to this dispute, Wyndham casts doubt on the utility and fairness of administrative adjudication here. The alleged conduct is five years old, and, "[i]in light of the advanced nature of this case and the substantial burdens Wyndham has already incurred, the FTC should not be permitted to start litigation anew." Wyndham also questions whether it "could receive a fair hearing if this case were litigated at the FTC. Before last year, no private litigant had prevailed in the FTC's administrative courts in nearly twenty years."
At bottom, Wyndham argues that if the Court finds "that the FTC lacked authority to bring its unfairness claim" in federal court, it should dismiss that claim with prejudice and not allow the FTC to re-file its unfairness claim in its own administrative courts." And if it were inclined to let the FTC take another shot at Wyndham, "[a]t the very least, the Court should hold that the FTC cannot pursue an unfairness claim against Wyndham without first promulgating a rule declaring unreasonable cybersecurity practices unfair."
FTC Will Remain the Cop on the Beat
The FTC's aggressive policing of data and cybersecurity practices has raised controversial legal issues about agency authority and process. While the Third Circuit's much anticipated decision may bring some clarity to the breadth of the FTC's authority and the proper FTC procedures for regulating corporate cybersecurity, the FTC has made clear it is not going to be shy in acting to protect consumers.
The agency emphasized that it is the "the only consumer protection agency that is able to proceed against companies that accept confidential data from their customers and then fail to take steps to protect that data." At oral argument, the FTC made clear that all businesses must be on notice of the Commission's approach to adequate cybersecurity practices, stating that "any careful general counsel would be looking at what the FTC is doing, [as the FTC] has broad ranging jurisdiction [over the private sector] and undertakes frequent actions against all manner of practices and all manner of businesses."
The FTC has underway several efforts regarding data security, cybersecurity, and privacy. Businesses should be vigilant in their approach, and mindful of the FTC's watchful eye.