Emerging Markets Law

3d Circuit Wyndham Decision Will Be Counterproductive

The 3d Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corporation, in a decision filed August 24, 2015, ruled that the Federal Trade Commission (the "FTC") by virtue of Section 5 of the FTC Act, has jurisdiction over the data security practices of corporations that collect and use the personal data of their cases.

Consumer advocates have celebrated the case as a win for consumers. I fear it will have the opposite effect.

The Ruling

The FTC sued Wyndham in the U.S. District Court for the District of New Jersey, asserting that Wyndham had violated Section 5 of the FTC Act by failing to maintain adequate security over consumer data stored on its servers. On three occasions in 2008 and 2009, hackers had gained access to Wyndham's network, stealing personal data from hundreds of thousands of consumers and causing more than $10.6 million in unauthorized charges.

Wyndham filed a motion to dismiss the case and the District Court denied that motion. Wyndham appealed that denial to the Third Circuit.

The Rationale

Section 5 of the FTC Act says simply that "unfair methods of competition in commerce" are illegal. The FTC Act empowers the FTC to adopt rules implementing the FTC Act, including Section 5. Although the FTC has not adopted any rules that prescribe precisely what businesses must do to keep their networks secure, the FTC sued Wyndham for failing to maintain security on the grants that its failure to do so was, simply, "unfair."

Wyndham made several legal arguments that were dispatched by the Third Circuit. Among other things it argued that the FTC should not be allowed to sue a business that is hacked when the FTC has never adopted rules to specify the level of security that a business must maintain. The Third Circuit, on a purely legal level, rejected these arguments.

The Policy Problem

While we can all agree that hackers are noxious and should be hunted down like the pirates they are, the Wyndham decision does not bring us any closer to making that a reality. I fear that the Wyndham decision will, in fact, have unforeseen consequences that will make life harder for consumers who are victimized by hackers.

First, winning this case in front of the Third Circuit will allow the FTC to continue the practice is has follows for many years - issuing pronouncements that warn industry to take care, but rarely issuing true regulations after notice and comment. The FTC does this because it is easier for them: they can forgo the effort of crafting real regulations and instead hold "town halls" and "open discussions" to warn industry that there are risks to be addressed. Later, they sue industry players when bad outcomes take place, saying, "we told you so." Because they never issued any real regulations, they are never accountable for establishing any rules. They simply assert that any negative outcome is "unfair" under Section 5 of the FTC Act and that such an unhappy outcome must have been the fault of industry.  

Second, by avoiding the adoption of real data security regulations, the FTC avoids making hard decisions about what level of security is appropriate. In reality (and as business leaders already know) complete data security would be possible at the expense of consumer convenience and increased prices. Imagine, for example, if every time you wanted to use your credit card you were required to provide a certified copy of your birth certificate. Such a requirement would dramatically improve the security of your credit card account. It would be horribly inconvenient, however, and the added expense would be directed back to you in the form of higher prices. Left to exercise business judgment, business leaders try to balance security with convenience and expense.  

Businesses want their networks to be secure because data breaches harm their reputation and reduce sales. (Imagine how many customers Target lost over its well-publicized security breach). Without concrete requirements established by law, business leaders are forced to make judgment calls that balance cost with convenience (and sales). A more robust FTC rule-making approach would make it easier for business leaders to make decisions and go a long way towards establishing common standards for all industry participants.

Third, by carrying on with the vague standard of "unfairness" the FTC allows the dual federal/state system of enforcement to continue. That dual system, in which industry participants are subject to regulation at both the state and federal levels, by both regulators and private litigants, dramatically increases the cost of compliance for business. If compliance were less expense, business could afford more of it and consumer data would be safer as a result.

Stay Connected

Subscribe to blog updates via email