3rd Circuit Affirms FTC’s Role as Cybersecurity Cop
Under the Federal Trade Commission Act, the FTC has broad powers to regulate unfair and deceptive business practices. The FTC has interpreted these powers to include the regulation of cybersecurity measures used by businesses to protect customer data. If the FTC believes that a company’s cybersecurity measures are unreasonably inadequate, it may bring a suit against the company for what it deems an ‘unfair’ act.
This is exactly what the Commission decided to do in its recent suit against Wyndham Worldwide Corporation. On three different occasions, Wyndham’s computer systems were hacked and consumers’ personal data was accessed and stolen. In its complaint, the FTC alleged that the security breaches were a result of Wyndham’s failure to use adequate measures to safeguard its customers’ data. The FTC argued that Wyndham’s security measures were so lax that it constituted an ‘unfair’ act under federal law. Wyndham moved to dismiss the complaint and argued that the FTC lacked the authority to regulate cybersecurity under the unfairness prong of the FTC Act.
The trial court denied Wyndham’s motion and the Third Circuit upheld the decision. In its opinion, the Third Circuit noted that the FTC Act purposely does not list specific unfair acts. Rather, the Act was intended to be flexible and capable of evolving along with changing business practices. Therefore, the Circuit Court held that the FTC had authority to regulate cybersecurity.
The decision is noteworthy for alternative small business funders and brokers that electronically receive and store volumes of personal customer data. Companies must be aware that the FTC expects them to maintain a certain standard of cybersecurity and those that fail to meet that standard may be subject to enforcement actions. It is also clear that the FTC is making cybersecurity a top priority as just yesterday it held the first of a series of conferences on data security strategies.
Companies in the small business finance space would be wise to compare the FTC’s recommendations with their current cybersecurity procedures.
FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015)Last modified: September 10, 2015
Patrick Siegfried is the author of usurylawblog.com and smallbusinessfinancelaw.com. Patrick is a practicing attorney in Bethesda, Maryland. Patrick’s work focuses on issues regarding alternative small business financing. He can be reached at firstname.lastname@example.org