U.S. Court of Appeals Upholds FTC’s Authority to Regulate Cybersecurity

Today, the United States Court of Appeals for Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp. upholding the authority of the Federal Trade Commission to regulate corporate cybersecurity under Section 5(a) of the Federal Trade Commission Act, which prohibits businesses from engaging in “unfair or deceptive acts or practices.” This case was an interlocutory appeal from an earlier decision by a federal court in New Jersey denying Wyndham’s motion to dismiss the FTC complaint.

In its appeal, Wyndham argued that the FTC had exceeded its statutory authority under the FTC Act by regulating data security issues. The court rejected this argument by holding that Wyndham’s cybersecurity practices could be considered an unfair practice by the FTC and that the Commission’s interpretation of Section 5(a) was consistent with its prior practice and permissible under its statutory authority. Wyndham also argued that, because the FTC has not issued data security regulations, the Commission failed to provide sufficient notice of what it considered reasonable data security methods, thereby denying Wyndham adequate due process. This argument was also rejected by the court, which noted that Wyndham was only due notice of what the statute itself required. The court further observed that, under the method of analysis employed by the FTC in Section 5(a) cases, as well as other public FTC guidance and enforcement actions, Wyndham should have realized that its repeated alleged failures to protect consumer data could have been considered an unfair practice under Section 5(a).

Absent a petition to the Third Circuit for rehearing en banc, or a petition for review by the Supreme Court, this case will now be returned to the district court for further proceedings.