On August 24, 2015, in a ruling that was much-anticipated because of its potential implications for the regulatory liability exposures of companies that have been hit with data breaches, the Third Circuit affirmed the authority of the Federal Trade Commission to pursue an enforcement action against Wyndham Worldwide Corp. and related entities alleging that the company and its affiliates had failed to make reasonable efforts to protect consumers’ private information. This ruling confirms that, in addition to the disruption and reputational harm that may follow in the wake of a successful cybersecurity, companies may also face a regulatory action from the FTC as well, as discussed further below. The Third Circuit’s opinion can be found here. The August 24, 2015 statement of the FTC’s Chair about the Third Circuit’s opinion can be found here.
The FTC alleges that between April 2008 and January 2010, intruders gained unauthorized access to Wyndham’s computer network on three occasions, on each occasion accessing sensitive personal information stored in Wyndham’s hotel property management system. The agency also alleges that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise” of its network. The FTC alleges that the data breaches resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia, allegedly causing fraudulent charges and more than $10.6 million in fraud loss.
As discussed here, the FTC filed a complaint against Wyndham and its related entities alleging that the defendants’ alleged failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information violated the prohibition in Section 5(a) of the Federal Trade Commission Act of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” The FTC’s lawsuit seeks to compel the company to improve its security measures and to remedy any harm its customers have suffered.
The defendants moved to dismiss, arguing that the FTC does not have the authority to bring an unfairness claim involving data security; that fair notice principles require the agency to promulgate regulations before bringing this type of an unfairness claim; and that the FTC’s allegations are pleaded insufficiently to support either an unfairness or deception claim.
In an April 7, 2014 decision, District of New Jersey Judge Esther Salas denied the defendants’ motion to dismiss and rejected the hotel chain’s arguments that the FTC does not have the authority to regulate data-security practices or that the agency has to issue regulations before bringing a data breach enforcement action. She also held that the FTC’s allegations were sufficient to state a claim for purposes of the motion to dismiss. The district court granted the defendants request for leave to seek an interlocutory appeal. The appellate court granted the interlocutory appeal on two issues: whether the FTC has the authority to regulate cybersecurity under on the basis of “unfairness” (as opposed to on the basis that it is a “deceptive practice”) and whether Wyndham had fair notice that its cybersecurity practices could fall short of that provision’s requirements.
The August 24 Opinion
On August 24, 2015, in a unanimous opinion written by Judge Thomas Ambro for a three-judge panel, the Third Circuit affirmed the district court’s rulings, specifically holding that the FTC has authority to bring cybersecurity related actions on the basis that they are “unfair”; and holding that Wyndham had sufficient notice of the possible regulatory requirements based on the applicable standard.
In holding that the FTC has the authority to pursue cybersecurity enforcement actions under the “unfairness” standard, the appellate court rejected a number of arguments Wyndham had raised. First, the court rejected the argument that conduct can only be “unfair” when it injures consumers through because it is unscrupulous or unethical. The court found that no authority supported the argument that the standard required unfair conduct to be unethical or unfair.
The court also rejected Wyndham’s argument that it could not be the subject of an unfairness claim where the company itself was victimized by criminals, noting that the company “offers no reasoning or authority for this principle, and we can think of none ourselves.”
Finally, the appellate court rejected Wyndham’s argument that the FTC had failed to give fair notice of the specific cybersecurity standards the company was required to follow. Much of the court’s discussion of this issue consists of a rather obscure discussion of the appropriate notice requirement standard to be applied in the context of this enforcement action. After much discussion, the appellate court concluded that that the agency did not have to establish standards through the prior issuance of regulations or through administrative action in order to bring an enforcement action, and that the relevant question was whether Wyndham had fair notice of what the statute itself requires. The appellate court found that prior FTC enforcement actions with other companies that had been settled but that were public were sufficient to provide Wyndham with the requisite notice under this standard. In a chart at the end of the opinion, the court reviewed the corollaries between one of those prior actions and the Wyndham enforcement action, noting that in both the prior action and the Wyndham action, the FTC had alleged that various deficiencies and shortcoming violated the statute.
It is important to note at the outset that the question the court was asking was whether or not the FTC had the authority to proceed here. While confirming that the FTC had that authority, it did not rule that the FTC was entitled to prevail on its claims. The case will now go back to the district court for further proceedings on the basis of this ruling. The proceedings in the lower court will determine whether or not the agency’s claims are meritorious.
But while there has been no determination that the FTC is entitle to prevail on its claims that Wyndham’s actions violated the “unfairness” standard in the statute, the FTC’s authority to bring such claims has been validated. The clear implication is that for companies that experience a data breach, the adverse consequences may include not only disruption, expense, and adverse publicity, but also the possibility of a regulatory enforcement action as well.
A number of different observers, including this blog, have noted the potential litigation risks that may follow after a data breach, including risk of an action against the directors and officers of the company experiencing the breach. There have been shareholders derivative lawsuits filed against Target and even against Wyndham itself. However, the derivative lawsuit filed against Wyndham was dismissed (about which refer here). Though there have been numerous subsequent high profile data breaches since the Wyndham case was dismissed, there have been no other derivative lawsuits filed. Thus it remains uncertain whether cybersecurity issues will be a significant source of D&O claims. However, this case shows that whether or not a company that experiences a serious data breach faces a risk of a D&O lawsuit, the company does face the possibility of a regulatory enforcement action.
Indeed, although Wyndham is the highest profile example, the FTC has actually brought numerous prior cybersecurity enforcement actions – according to one source (here), more than fifty. However, all or virtually all of the other cases settled. Wyndham took the unusual step of resisting the FTC’s enforcement action, which led to this court battle. The kind of features that might attract the attention of the FTC are detailed at the table toward to the end of the Third Circuit’s opinion, where the appellate court compared the data breach details involved in a prior enforcement action to those in the Wyndham cases. I suspect that these details will make their way into numerous lists of the kinds of activities that might attract the unwanted attention of the FTC.
For publicly traded companies, these kinds of regulatory actions may present insurance challenges. The only defendants in this action were the corporate parent company and certain of its operating subsidiaries. In a public company D&O policy, the corporate entity is provided coverage only for securities claims. Because the FTC’s enforcement action did not allege violation of the securities laws, an FTC action of this kind would not trigger the entity coverage found in most D&O policies.
While private company D&O insurance policies provide broader entity coverage, private company policies also often contain so-called “antitrust” exclusions that broadly preclude coverage for claims involving allegations of unfair or deceptive trade practices. The exclusions in some carrier’s policies expressly preclude coverage for claims under the Federal Trade Commission Act. Some carriers will remove these exclusion upon request, but others will not, while yet others will only provide so-called antitrust coverage on a sublimited basis, or on a defense cost only basis.
Many carriers now offer separate cyber risk insurance policies that include third-party liability protection. The third-party liability protection available under these cyber risk policies usually include insurance protection for actions brought by regulators following a data breach, including even coverage for regulatory fines and penalties where insurable. However, the third-party regulatory protection available under many cyber risk policies is often subject to a sublimit.
The threat of a significant cyber breach presents a significant risk for companies and Increasingly these risks include the possibility of litigation following a data breach — including the risk of litigation brought by shareholders or by regulators. These data breach litigation risks in turn may present potentially complex insurance coverage issues, which underscores the need for companies to consult with knowledgeable insurance advisers in connection with these developing litigation exposures.
Alison Frankel’s interesting analysis of the Third Circuit’s opinion on her On the Case blog can be found here.