In the latest installment of the FTC v. Wyndham case, the Third Circuit Court of Appeals is set to determine the scope of the agency’s authority over unfair trade practices in the arena of cybersecurity. On March 27, the Federal Trade Commission (FTC) and Wyndham Worldwide Corp. filed supplemental briefings in the Third Circuit presenting arguments on whether the FTC has declared that unreasonable cybersecurity practices are unfair, and, assuming the FTC has not determined that unreasonable cybersecurity practices are unfair, whether the federal court can hear a data security challenge brought under 15 U.S.C. § 53(b) (section 13(b) in the FTC Act).
The questions addressed in the supplemental briefs originate from a letter that the court sent to counsel prior to oral arguments last month, outlining what issues it would like the parties to be prepared to discuss. At the closing of oral arguments, the court asked the parties to file supplemental briefings further answering these questions.
This is the latest development in the case that began back in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. The FTC charged Wyndham with violating both the deception and unfairness provisions of Section 5 of the FTC Act. Instead of settling with the FTC, as the vast majority of defendants do in such cases, Wyndham moved to dismiss the case, challenging the FTC’s authority to regulate data security. The U.S. District Court in New Jersey denied Wyndham’s motion (see court document here), and Wyndham filed for an interlocutory review of the order. The District Court approved Wyndham’s motion to appeal, and in August 2014 the Third Circuit granted Wyndham’s petition, agreeing to consider whether the FTC has the authority to regulate companies’ data security practices.
The FTC answers the court’s first question, whether it has “declared that unreasonable cybersecurity practices are ‘unfair’,” with a resounding “Yes.” It begins its brief by stating that “the FTC has acted under its procedures to establish that unreasonable data security practices that harm consumers are indeed unfair within the meaning of Section 5.” To support this assertion, the FTC points to several sources. First, the FTC relies on its interlocutory decision in LabMD, claiming the order “directly states the Commission’s considered determination that inadequate data security can be an unfair practice.” Second, the FTC draws attention to its issuance of more than 20 prior complaints that charge deficient data security as unfair practices. While the FTC acknowledges that complaints are not binding, it argues the complaints “are akin to policy statements or interpretive rulings,” which litigants and the courts can resort to for guidance. Finally, the FTC contends it made clear in formally approved testimony to Congress that it deems inadequate data security to be a potentially unfair practice. The FTC concludes that these sources provide not only fair notice to potential defendants, but also guidance to district courts for use in their determinations of liability in particular cases.
Wyndham maintains its position that the FTC has not declared unreasonable cybersecurity practices “unfair” through the procedures set forth in the FTC Act. In response to the FTC’s argument, Wyndham states that the LabMD decision is “not final” (referring to a holding by the 11th Circuit Court of Appeals that states the FTC’s Order denying LabMD’s motion to dismiss is not a “final agency action”) and therefore does not amount to a formal declaration about the meaning of unfairness. Next, Wyndham emphasizes that complaints and consent decrees do not amount to an enforceable holding that unreasonable cybersecurity practices are unfair under the FTC Act. “Try as it might,” Wyndham argues, “the Commission cannot transform complaints and consent decrees into rules and adjudications.” Wyndham does not address the FTC’s argument regarding its congressional testimony.
Amidst the contention, the FTC and Wyndham do agree on one point: that the Third Circuit does not need to decide the issue of whether the case is “proper” within the meaning of Section 13(b) of the FTC Act, codified as 15 U.S.C. § 53(b), and therefore appropriately before the federal court. Section 13(b) states that “whenever the Commission has reason to believe that any … corporation is violating … any provision of law enforced by the Federal Trade Commission … the Commission … may bring suit in a district court of the United States to enjoin any such act or practice.” The court questioned whether, assuming the FTC had not determined that unreasonable data security practices were unfair, a federal court would be the correct venue for making such a determination in the first instance in a case brought before it under Section 13(b). Interestingly, neither party raised the jurisdictional question and although the FTC and Wyndham come to the conclusion differently, both agree that the court has jurisdiction to decide the case.
The FTC argues that even if the Commission had not adopted a prior body of determinations with respect to the unfairness question, Congress gave it discretion to choose a judicial forum for the resolution of Section 5 disputes, and it did not condition the availability of that forum on the Commission’s prior use of an administrative forum in similar cases. Wyndham asserts that the presence of a deception claim makes it a proper case to file in federal court regardless of the novelty of the unfairness claim, stating “the statutory language speaks in terms of ‘proper cases’ not ‘proper claims.’”
Wyndham argues that although the FTC is generally allowed to choose between rulemaking and adjudication (citing SEC v. Chenery Corp., 332 U.S. 194, 203 (1947) “the choice made between proceeding by general rule or by individual, ad hoc litigation is one that lies primarily in the informed discretion of the administrative agency”), declaring unreasonable cybersecurity practices “unfair” falls under an exception to this rule (citing NLRB v. Bell Aerospace Co., 416 U.S. 267, 294 (1974) “there may be situations where [an agency’s] reliance on adjudication would amount to an abuse of discretion”). Wyndham points to case law that states the agency “must proceed by rulemaking if it seeks to change the law and establish rules of widespread application” (Ford Motor Co. v. FTC, 673 F.2d 1008, 1009-10 (9th Cir. 1981)). Wyndham argues that in deeming unreasonable cybersecurity practice “unfair” the FTC is “trying to establish an entirely new legal standard that will have ‘widespread application’.” From this, Wyndham concludes “[t]he FTC can embark on such an endeavor only if it first publishes rules explaining the new requirements it now interprets Section 5 to require—otherwise there is no backdrop of ‘existing law’ against which adjudications can be conducted.”
Specifically, Wyndham attacks a statement made by the FTC at oral arguments where the FTC’s counsel states that rulemaking in the cybersecurity area is “a very cumbersome process,” further noting “it would never end because the technology changes so fast.” In response to this statement, Wyndham argues that the FTC has previously used the rulemaking procedures—albeit in contexts outside of data and cybersecurity—to declare practices unfair (citing as an example the rule governing “advertising as to sizes of viewable pictures” shown on television sets); suggesting that doing so now should be no more cumbersome. Wyndham also points to several statutes—including COPPA, FCRA, and GLBA—that require the FTC to promulgate rules about cybersecurity, arguing these statutes “prov[e] that the agency can, in fact, publish rules of sufficient generality to take account of changes in technology.”
The FTC does not address this issue specifically in its supplemental brief; however, it does address the topic in its initial brief to the appeals court. In this earlier brief, the FTC stated that laws such as COPPA, FCRA and GLBA “all enable the Commission to adopt data-protection rules using notice-and-comment rulemaking procedures under the Administrative Procedure Act” and goes on to stress that “[i]n the absence of that APA authority, any Commission rulemaking proceedings in this area would be subject to cumbersome (and thus rarely used) Magnuson-Moss procedures, which require full-blown evidentiary hearings and witness testimony.”
The Third Circuit’s decision in this case is important because it has the potential to change how businesses and the FTC interact moving forward. Not only will this case have implications for cybersecurity practices in general, but it could also revise the FTC’s current authority and discretion in bringing unfairness cases in new areas.