The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act.  The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers.  The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard.  Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong.  An analysis of the highlights of the Third Circuit’s opinion is available after the jump.

After the district court denied Wyndham’s motion to dismiss, the Third Circuit granted interlocutory appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the unfairness prong of its Section 5 authority, and (2) if the FTC has such authority, whether Wyndham received fair notice that its cybersecurity practices could fall short of this standard.  On the first issue, the Third Circuit rejected Wyndham’s arguments that the FCRA, GLBA, and COPPA could be read to exclude cybersecurity from the reach of the FTC’s Section 5 authority.  According to Wyndham, each of these statutes contains an explicit grant of authority over cybersecurity issues to the FTC — an addition that would be unnecessary if, as the FTC claimed, it has pre-existing authority over cybersecurity under Section 5.  The Third Circuit rejected this argument, noting that the FCRA, GLBA, and COPPA each require the FTC to take specific actions, such as issuing regulations, that go above and beyond the bare requirements of Section 5.  As such, none of these statutes contradict the position that the FTC has Section 5 authority over cybersecurity issues.  The Third Circuit also rejected Wyndham’s contention that the FTC’s prior statements disclaimed regulatory authority over cybersecurity practices, finding that these statements acknowledged limitations in the FTC’s jurisdiction (such as the inability to regulate what data companies collect) that do not prevent the FTC from regulating cybersecurity practices.

Having concluded that the FTC’s Section 5 authority encompasses cybersecurity, the Third Circuit also rejected Wyndham’s argument that the FTC’s failure to provide “fair notice” of required cybersecurity practices under Section 5 violated the Due Process Clause.  As part of this argument, Wyndham highlighted the alleged lack of any concrete guidance from the FTC as to what, exactly, constituted “unfair” cybersecurity practices, and claimed that the FTC failed to define the cybersecurity practices required under Section 5 with “ascertainable certainty.”  However, the Third Circuit held that Wyndham’s preferred “ascertainable certainty” standard cannot apply if, as here, an agency has not issued a relevant “rule, adjudication, or document” that merits Chevron deference.  Where no such deference is required, the court can only engage in the “ordinary judicial interpretation of a civil statute.”  Under this standard, the Third Circuit held that Wyndham was not entitled to fair notice of the specific cybersecurity practices required by the FTC under Section 5.  Instead, Wyndham was only entitled to fair notice of the general standard that is applicable to all unfairness actions (not just cybersecurity) under the plain text of Section 5.

Turning to the second part of the fair notice inquiry, the court held that Wyndham had fair notice that its alleged conduct could “fall within the meaning of” the text of Section 5.  Although it acknowledged that the text of Section 5 is “far from precise,” the court held that the statute provided notice to companies that the “relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”  Noting that Wyndham had been hacked three times, the court held that at a minimum, Wyndham was on notice after the second hack that a court could find that its cybersecurity practices failed the cost-benefit analysis under Section 5.  The court also noted that the FTC has “counseled against many of the specific practices alleged here,” both in its informal guidance and its complaints and consent decrees raising unfairness claims based on inadequate cybersecurity practices.  The court emphasized the presence of similar allegations in at least five of the FTC’s enforcement actions, including one enforcement action in 2006 against CardSystems Solutions that contained almost identical allegations.  Even though many of these decisions alleged a collection of violations under Section 5 and did not specify which violations were necessary or sufficient for an unfairness finding, the Third Circuit held that these enforcement actions could help companies gauge the possibility of liability under Section 5.

In addition, the Third Circuit rejected Wyndham’s argument that it could not have acted unfairly when it was victimized by hackers, finding that Wyndham’s alleged conduct did not fall outside of the “plain meaning” of “unfair.”  Notably, the Third Circuit held that an unfairness claim could be brought “on the basis of likely rather than actual injury.”  Although Wyndham’s conduct may not have been “the most proximate cause of an injury” within the context of the data breaches it suffered, this distinction did not immunize Wyndham from liability for foreseeable harms arising from the breaches.  While the FTC’s complaint did allege actual harm to consumers resulting from the Wyndham breaches in the form of over $10 million in fraudulent charges, this language could allow the FTC to continue bringing enforcement actions where no “actual” harm to consumers exists.

Tags: Cybersecurity, Data Breach, Data Security, Federal Trade Commission, FTC, Litigation, Wyndham
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less