Today, the U.S. Court of Appeals for the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. The court focused on several themes: First, whether Congress has entrusted the FTC to define new unfair practices, whether the FTC has declared that unreasonable cybersecurity practices are unfair, and whether the FTC is asking the Third Circuit to declare that unreasonable cybersecurity practices are unfair in the first instance; second, the existence and enforcement of cybersecurity standards; and finally, what is proper jurisdiction under FTC Act Section 13(b).
Eugene Assaf argued for Wyndham Worldwide Corp., and Joel Marcus argued for the FTC. The judges on the panel are Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica.
Unfair Practices: A large portion of the argument was devoted to the issue of whether Congress has entrusted the FTC to define new unfair practices and, if so, whether the FTC has declared that unreasonable cybersecurity practices are unfair or whether the FTC is asking the court to do so in the first instance.
Definition. The FTC took the position that Congress has already defined what constitutes unfair practices under the FTC Act Section 5(n), which states that the FTC may only declare an act unfair where (1) the act or practice is likely to cause substantial injury to consumers, (2) which is not reasonably avoided by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or competition. The FTC later noted that it interpreted precedent as establishing that an “unfair” practice merely meant anything that causes or creates consumer harm.
Mens Rea. The court, in considering what constituted an unfair cybersecurity practice, heard argument from both Wyndham and the FTC on what, if anything, was needed in addition to negligence regarding cybersecurity, in order for a company to be found liable for unreasonable cybersecurity practices under the FTC’s unfairness authority. Judge Ambro suggested that it was possible that the plus factor here would be deception—that Wyndham was negligent, but that the statements it made on its website regarding its security practices were also deceptive—and that together the negligence and deception would be sufficient for a finding of an unfair practice.
Requesting the Court Determine whether Unreasonable Cybersecurity Practices are Unfair. In response to whether the FTC is asking the court to declare that unreasonable cybersecurity practices are unfair in the first instance, the FTC impliedly answered in the positive, responding that the “FTC has brought novel theories of unfairness in the courts before.” Particularly, the FTC repeatedly pointed to the Ninth Circuit case FTC v. Neovi (2010), in which the FTC alleged that Neovi engaged in unfair methods of competition by issuing unverified checks through its website. The Ninth Circuit agreed with the FTC, and found that Neovi did not take sufficient measures to prevent and address fraud. But the court took issue with this case, asking whether, looking at the language of FTC Act Section 13(b), it was appropriate for the Ninth Circuit to address a novel theory of unfairness in Neovi. Wyndham also took up the issue, arguing that, when viewed in its historical context, the language of Section 13(b) was limiting. The FTC, in turn, argued that the legislative history, which speaks to matters involving fraud, employs fraud cases as merely paradigmatic examples and that the illustrations were not limiting.
Administrative Proceeding versus FTC Act Section 13(b). The conversation then shifted to a discussion of whether the FTC should have pursued this case as an administrative matter or under Section 13(b) of the FTC Act. Among other differences, pursuing a matter under Section 13(b) allows the FTC to request certain remedies that are not available through administrative processes, such as disgorgement. Judge Scirica asked the FTC why it had not pursued both the administrative process and a suit under Section 13(b). The logic behind Judge Scirica’s question being that, had the FTC pursued both, it could have declared unreasonable cybersecurity practices unfair through the administrative process, and then gone forward to seek disgorgement or restitution (if appropriate given the facts of the case) having already established this threshold matter.
In addition, the court also noted that the legislative history of Section 13(b) indicates that the ability to seek a permanent injunction in lieu of administrative resolution should be invoked only where the FTC concludes that the case presents no issues warranting “detailed administrative consideration.” Judge Ambro followed up on this statement, asking whether the FTC thought that the issue of whether unreasonable cybersecurity practices were unfair warranted detailed administrative consideration.
The court seemed to be unsatisfied with the FTC’s response here, which was that the Commission often chose to proceed under Section 13(b) and not with an administrative matter because of the availability of remedies and because pursuing both would be complicated and cumbersome. The FTC stressed that its goal was to obtain actual redress for consumers, but the court did not latch on to this argument.
Cybersecurity Standards: Toward the beginning of the argument, Judge Roth raised questions relating to cybersecurity standards, including whether there are established cybersecurity standards, whether cybersecurity standards should be developed and, if so, who should develop cybersecurity standards. Judges Ambro and Scirica followed up with related questions.
Wyndham noted that there are currently two cybersecurity standards, the Payment Card Industry (“PCI”) data security standard, and the National Institute of Standards and Technology (“NIST”) cybersecurity framework. But, that the FTC has not yet defined or detailed a cybersecurity standard. Therefore, in response to an inquiry from Judge Ambro, companies cannot currently make an inquiry to the FTC as to whether they satisfy the FTC’s cybersecurity standards.
Notice. The court also spent considerable time on the subject of whether the FTC placed companies on notice on what it believed would constitute reasonable or unreasonable cybersecurity standards. The FTC said that the complaints and consent decrees published on the FTC’s website put companies on notice as to what constituted unreasonable security standards. (Later, the FTC noted that one of the difficulties posed by cybersecurity was the establishing of certain standards, given the ever-changing technologies.) The court appeared to be unconvinced by this argument, despite FTC’s statement that any careful general counsel should be looking at what the FTC is doing. Instead, the court sought an example from the FTC of an instance where it acted in its capacity as an adjudicator and voted to hold unreasonable cybersecurity practices unfair.
LabMD. Here, the FTC pointed to the interlocutory order in FTC v. LabMD, Inc. The FTC argued that, in the order, the FTC acted in its capacity as an adjudicator and unanimously held that, as an interpretive matter, a failure to protect data security was an unfair act under the FTC Act. The FTC also argued that the interlocutory order was deserving of Chevron deference because it represented the FTC’s formal (although not, perhaps, final) determination as an adjudicator.
Proper jurisdiction under FTC Act Section 13(b): Although the court repeatedly asked counsel for examples of cases for which jurisdiction was proper under Section 13(b) of the FTC Act, both the FTC and Wyndham steadfastly agreed on this point. Both stated that any violation of a law enforced by the FTC would be proper.
Finally, the court ordered additional briefing on the questions it raised in its February 20, 2015 letter to counsel. The briefing is due March 18.