Commissioner Julie Brill of the FTC has claimed victory in Wyndham’s appeal in the Third Circuit:
Big news: FTC wins Third Circuit Wyndham appeal. Inadequate data security can be unfair under FTC Act & companies have adequate notice.
— Julie Brill (@JulieBrillFTC) August 24, 2015
“Big news: FTC wins Third Circuit Wyndham appeal. Inadequate data security can be unfair under FTC Act & companies have adequate notice.”
But is that what the opinion actually says? Keeping in mind that I am not a lawyer, here are my impressions of the opinion, until some expert tells me I’ve got it all wrong:
The opinion does hold that inadequate security can be an unfair practice under Section 5, which is certainly a significant ruling. The Third Circuit’s interpretation of “unfairness” also has significant implications for the LabMD case (although that case would be heard in a different circuit), as the Third Circuit’s opinion notes that a priori determinations that an action or practice is likely to cause substantial injury is sufficient to meet that prong:
Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n.45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); Westfarm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir. 1995) (“Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”).
Leave a laptop with unencrypted patient or customer data in your car and it’s stolen? You may want to blame the thief, but according to the Third Circuit’s interpretation, you can also be held liable for inadequate security if the theft was a foreseeable harm.
It is important to note that in Wyndham’s case, the FTC has another argument supporting its “unfairness” claim: Wyndham’s privacy policy offered assertions and pledges of “industry standard” data security that Wyndham allegedly did not implement (such as firewalls and encryption).
The opinion describes the three hacks and the lack of security measures that might have averted them. It does not make Wyndham look good, to put it mildly, and this may not have been the best case to test the FTC’s authority given how even after the first hack, Wyndham allegedly never monitored to see if the same malware reappeared on its network.
The section of the opinion dealing with fair notice is a bit trickier, as it seems to say that as long as Wyndham had sufficient understanding that Section 5 required them to have adequate security, they had sufficient notice and were not entitled to “ascertainment certainty.” The opinion leaves open the issue as to whether the FTC properly applied the standard to Wyndham, and left open the issue that others may not have had sufficient notice because the FTC hadn’t made clear to them that they should have been reading consent orders and public statements to understand generally what the law expects.
Obviously, I am not thrilled with the court’s opinion on the notice issue. I do not think that companies really do understand what they have to do to fully comply or have any safe harbor from an FTC enforcement action for data security, and that strikes me as inherently unfair. Can every human error result in an FTC enforcement action? Where does the FTC draw lines?
But the 3-0 appellate ruling must be giving Wyndham pause right now, as the FTC’s case against them will go forward unless Wyndham joins the ranks of those who have settled FTC charges via consent orders.
I bet that includes sharing on limewire as well.