Today, the U.S. Court of Appeals for the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp.The court focused on several themes: First, whether Congress has entrusted the FTC to define new unfair practices, whether the FTC has declared that unreasonable cybersecurity practices are unfair, and whether the FTC is asking the Third Circuit to declare that unreasonable cybersecurity practices are unfair in the first instance; second, the existence and enforcement of cybersecurity standards; and finally, what is proper jurisdiction under FTC Act Section 13(b).
Gene Assaf argued for Wyndham Worldwide Corp., and Joel Marcus argued for the FTC. The judges on the panel are Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica.
Unfair Practices: A large portion of the argument was devoted to the issue of whether Congress has entrusted the FTC to define new unfair practices and, if so, whether the FTC has declared that unreasonable cybersecurity practices are unfair or whether the FTC is asking the court to do so in the first instance.
Definition. The FTC took the position that Congress has already defined what constitutes unfair practices under the FTC Act Section 5(n), which states that the FTC may only declare an act unfair where (1) the act or practice is likely to cause substantial injury to consumers, (2) which is not reasonably avoided by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or competition. The FTC later noted that it interpreted precedent as establishing that an “unfair” practice merely meant anything that causes or creates consumer harm.
Mens Rea. The court, in considering what constituted an unfair cybersecurity practice, heard argument from both Wyndham and the FTC on what, if anything, was needed in addition to negligence regarding cybersecurity, in order for a company to be found liable for unreasonable cybersecurity practices under the FTC’s unfairness authority.
Read more on Covington & Burling InsidePrivacy.