As Justice Oliver Wendell Holmes once wrote, hard cases make bad law; the corollary, perhaps, is that easy cases make good law. That was certainly true in Wyndham Hotels v. Federal Trade Commission (FTC), which pitted the hotel chain, whose allegedly appalling data security practices led to persistent leaks of customer information, against the federal trade regulator. On Monday, the U.S. Court of Appeals for the Third Circuit dealt the FTC a resounding legal victory—and Wyndham a stinging defeat. The court upheld the decision of U.S. District Court Judge Esther Salas to deny Wyndham’s motion to dismiss. Unless settled, the case will now proceed to trial.
The main point of contention concerned Wyndham’s due process argument, which was based on the age-old principle nulla poena sine lege (no punishment without law). As the Supreme Court held in the 1954 U.S. v. Harriss case, “The underlying principle is that no man shall be held criminally responsible for conduct which he could not reasonably understand to be proscribed.” Wyndham claimed that the FTC failed to provide businesses with “fair notice” concerning which data security practices it regards as “unfair” under Section 5 of the FTC Act. Businesses, it argued, were smacked with enforcement actions, being told what they did wrong only after the fact.
On multiple counts, Wyndham’s argument failed. To begin with, as is often the case in big-ticket shows run by litigators, Wyndham’s arguments proved too much. So eager were Wyndham’s litigators to assert that the FTC failed to provide any guidance, rules or authoritative interpretation on what constitutes reasonable data security practices, the court concluded that no notice was necessary at all. If the FTC did not declare which practices are unfair, then Wyndham was not entitled to “ascertainable certainty” of such declaration. Instead of fair notice of the FTC’s interpretation, Wyndham need only have obtained fair notice of what the statute said. And Wyndham clearly had such notice, or at least failed to cogently argue the contrary.
To be sure, had Wyndham conceded that the FTC, in a line of enforcement actions and guidance documents, did set forth an authoritative interpretation of the statute, it could have claimed lack of fair notice. Alas, litigators are loath to concede much if anything, leading Wyndham to trip over the legal web it has spun for itself.
More pertinently, Wyndham’s practices were so manifestly inappropriate that it would be crass to argue they met any standard of reasonableness. The court laid out in excruciating detail the allegations against Wyndham: allowing hotels to store payment card information in plaintext, using outrageously easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber attacks. This has led to three reported incidents of major data breaches, with personal data for hundreds of thousands of customers whisked over to servers in Russia. The breaches, which resulted in more than $10 million in fraudulent transactions, were only discovered after customers complained to credit card companies about unauthorized charges.
At one point, responding to Wyndham’s claim that if the FTC’s authority extends to data security, then the FTC also has the authority to sue supermarkets that are “sloppy about sweeping up banana peels,” the court posits, “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under (Section 5).”
Providing the FTC with important ammunition for future legal battles, the court emphasized that Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ ... by enumerating the particular practices to which it was intended to apply,” citing the Supreme Court 1972 decision in FTC v. Sperry & Hutchison. Back in 1914, “Congress concluded that ... there were too many unfair practices to define, and after writing 20 of them into the law it would be quite possible to invent others.” In what could serve as a valuable lesson for European lawmakers as they mull over the details of the voluminous General Data Protection Regulation, Congress had the foresight back then to understand the futility of exhaustively listing every unreasonable practice that might arise. Firewalls, passwords and secure cloud transactions were hardly foreseeable in 1914.
The court held that the fair notice standard for civil statutes that regulate economic activities was lax. For those statutes, a party lacks fair notice when the relevant standard is “so vague as to be no rule or standard at all.” That’s certainly not the case with Section 5 of the FTC Act, which has been interpreted extensively for more than 100 years. Interestingly, the court held that the Section 5 unfairness standard instructs parties to conduct a cost-benefit analysis, which “considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”
On a couple of points, the court’s ruling was more ambiguous. First, the court’s message was mixed on the question of whether the FTC’s line of enforcement actions gives rise to a “common law” of privacy and data security, as claimed by leading academic scholars. On the one hand, the court wrote in a footnote, “We agree with Wyndham that the consent orders, which admit no liability and which focus on prospective requirements on the defendant, were of little use to it in trying to understand the specific requirements imposed by (Section 5).” On the other hand, the court stated, “As the agency responsible for administering the statute, the FTC’s expert views about the characteristics of a ‘sound data security plan’ could certainly have helped Wyndham determine in advance that its conduct might not survive the cost-benefit analysis.” Indeed, the court went so far as to compare in a chart the facts alleged in a prior FTC data security complaint against CardSystems Solutions to those in the Wyndham case, demonstrating that Wyndham could easily have surmised that its actions were unlawful. Importantly, the court debated, in a footnote, the public accessibility of prior FTC enforcement actions back in 2008. Today, this legal corpus is readily available for IAPP members, indexed, tagged and annotated through the FTC Casebook.
Second, the court allowed that the famous “three part test” for unfairness, originally set forth in the FTC’s 1980 Policy Statement on Unfairness cases and codified by Congress in 1994 as Section 5(n) of the FTC Act, could be a necessary but insufficient condition to assert an unfairness case. Yet regardless of what else the FTC has to prove to show unfairness, the court ruled it had easily alleged so in pleading the present case. “As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all” (emphasis in the original, cross-references removed).
The Wyndham case is an important landmark in the FTC’s emergence as the U.S.'s national privacy and data security regulator. Affirming the FTC’s authority in unambiguous terms, the court’s decision could usher in a period of heightened enforcement activity in this space. Given the egregiousness of Wyndham’s alleged practices, it was not a hard case, but it makes good law.
Find all the relevant privacy and cybersecurity FTC cases here, with all attendant documents and analysis.
If you want to comment on this post, you need to login.