In the last article, we outlined, generally, privacy and data protection considerations for compliance with applicable laws. This article discusses the Federal Trade Commission Act (“FTCA”) § 5, which empowers the Federal Trade Commission (“FTC”) to pursue enforcement actions against companies that engage in “unfair” acts that are (1) likely to cause substantial injury to consumers (2) that is neither reasonably avoidable (3) nor outweighed by countervailing benefits to consumers or to competition. 15 U.S.C. § 45(n). In short, the FTC may “take action against unfair practices that have not yet been contemplated by more specific laws.” F.T.C. v. Accusearch, Inc., 570 F.3d 1187, 1194 (10th Cir. 2009).
In a recent case, F.T.C. v. Wyndham, the Third Circuit analyzed an unfair practices complaint that the FTC brought against Wyndham Worldwide Corporation after hackers successfully accessed and stole the company’s consumer information on three separate occasions. The FTC complaint alleged that Wyndham neither took reasonable ex-ante measures to mitigate risks, nor did it reasonably respond to the attacks.
In response Wyndham argued, among other things, that the FTC did not have the authority to regulate cybersecurity practices. In rejecting this argument, the Third Circuit considered (1) a cost-benefit analysis of “relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity”, (2) an FTC guidebook, Protecting Personal Information: A Guide for Business, and (3) previous FTC complaints resolved via consent order. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255-57 (3d. Cir. 2015). On whether Wyndham’s practices were unfair, the court stated:
Both Wyndham and Snapchat ultimately agreed to consent orders rather than prolong litigation, which is the typical result of FTCA § 5 complaints. Consent orders often outline a comprehensive privacy program, provide external oversight, and provide an expedited means of punishment for subsequent violations of the order. Consent orders will be discussed in greater detail in the next article.