DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC claims victory in Wyndham case; Appellate court upholds authority to enforce data security

Posted on August 24, 2015 by Dissent

Commissioner Julie Brill of the FTC has claimed victory in Wyndham’s appeal in the Third Circuit:

Big news: FTC wins Third Circuit Wyndham appeal. Inadequate data security can be unfair under FTC Act & companies have adequate notice.

— Julie Brill (@JulieBrillFTC) August 24, 2015

“Big news: FTC wins Third Circuit Wyndham appeal. Inadequate data security can be unfair under FTC Act & companies have adequate notice.”

But is that what the opinion actually says? Keeping in mind that I am not a lawyer, here are my impressions of the opinion, until some expert tells me I’ve got it all wrong:

The opinion does hold that inadequate security can be an unfair practice under Section 5, which is certainly a significant ruling. The Third Circuit’s interpretation of “unfairness” also has significant implications for the LabMD case (although that case would be heard in a different circuit), as the Third Circuit’s opinion notes that a priori determinations that an action or practice is likely to cause substantial injury is sufficient to meet that prong:

Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n.45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); Westfarm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir. 1995) (“Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”).

Leave a laptop with unencrypted patient or customer data in your car and it’s stolen? You may want to blame the thief, but according to the Third Circuit’s interpretation, you can also be held liable for inadequate security if the theft was a foreseeable harm.

It is important to note that in Wyndham’s case, the FTC has another argument supporting its “unfairness” claim: Wyndham’s privacy policy offered assertions and pledges of “industry standard” data security that Wyndham allegedly did not implement (such as firewalls and encryption).

The opinion describes the three hacks and the lack of security measures that might have averted them. It does not make Wyndham look good, to put it mildly, and this may not have been the best case to test the FTC’s authority given how even after the first hack, Wyndham allegedly never monitored to see if the same malware reappeared on its network.

The section of the opinion dealing with fair notice is a bit trickier, as it seems to say that as long as Wyndham had sufficient understanding that Section 5 required them to have adequate security, they had sufficient notice and were not entitled to “ascertainment certainty.” The opinion leaves open the issue as to whether the FTC properly applied the standard to Wyndham, and left open the issue that others may not have had sufficient notice because the FTC hadn’t made clear to them that they should have been reading consent orders and public statements to understand generally what the law expects.

Obviously, I am not thrilled with the court’s opinion on the notice issue. I do not think that companies really do understand what they have to do to fully comply or have any safe harbor from an FTC enforcement action for data security, and that strikes me as inherently unfair. Can every human error result in an FTC enforcement action? Where does the FTC draw lines?

But the 3-0 appellate ruling must be giving Wyndham pause right now, as the FTC’s case against them will go forward unless Wyndham joins the ranks of those who have settled FTC charges via consent orders.

 

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← Privacy Commissioner investigates Ashley Madison data breach, Company offers reward for information
Leaked AshleyMadison Emails Suggest Execs Hacked Competitors →

1 thought on “FTC claims victory in Wyndham case; Appellate court upholds authority to enforce data security”

  1. Justin Shafer says:
    August 24, 2015 at 10:12 pm

    I bet that includes sharing on limewire as well.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.