The FTC and Cybersecurity: Unfair Business Practices or Unfair Business Expectations

Author: Brooke Logsdon, Associate Member, University of Cincinnati Law Review

National Cybersecurity, or the lack thereof, has frequently been front and center in our national news these days. Despite the recent increase of cyber-attacks on corporate entities such as Target, Ashley Madison, and Anthem,[1] Congress has yet to pass an adequate cybersecurity bill that would protect our government, our infrastructure, and our private sector from cybersecurity attacks.[2] When Wyndham Hotels fell victim to cyber-attacks in 2008, it decided to fight the Federal Trade Commission’s (FTC) authority to declare business practices “unfair.” The Third Circuit held that the FTC possessed this authority; that Wyndham’s lack of cybersecurity was an “unfair” business practice; and that Wyndham was adequately notified as to what cybersecurity practices were required.[3] The court’s holding, however, improperly rejected Wyndham’s authority and notice arguments because the FTC does not have broad authority to regulate businesses’ cybersecurity practices and is not providing enough notice to businesses.

The Federal Trade Commission Act

In 1914, Congress passed the Federal Trade Commission Act, (Act).[4] Congress amended the Act in 1938 to prohibit “unfair or deceptive acts or practices in or affecting commerce.”[5] Congress intentionally left the Act’s language ambiguous so the FTC could develop its meaning.[6] In 1964, the FTC identified three factors that govern “unfairness.”[7] In 1994, Congress solidified these three factors in 15 U.S.C. § 45(n), which prohibits the FTC from declaring a practice unfair unless it: (1) causes substantial injury to consumers; (2) cannot be reasonably avoided by consumers; and (3) is not outweighed by countervailing benefits to consumers. [8] In 2005 the FTC began pursuing claims, under the Act, for businesses’ inadequate cybersecurity.[9]

The First Case of its Kind: FTC v. Wyndham

Between April of 2008 and late 2009, hackers accessed Wyndham Worldwide’s computer systems three times and stole the personal and financial information from over 500,000 customers’ accounts—leading to over 10.6 million dollars in fraud.[10] The FTC alleged that Wyndham stored customer information in clear, readable text with unsecure passwords and no firewalls, and that Wyndham did not monitor for malware after any of the attacks.[11] According to the FTC, Wyndham also had a deceptive cybersecurity statement that led customers into the false belief that their information would be protected.[12] Wyndham defended against the FTC’s claims by arguing that the FTC did not have the authority to regulate its cybersecurity practices, and that the FTC did not provide it with fair notice.[13] The Third Circuit Court of Appeals answered in the affirmative on the following two issues: whether the FTC had authority to regulate a business’s cybersecurity and if so, whether Wyndham had fair notice of what type of cybersecurity measures it was required to have.[14]

FTC’s Authority to Regulate Businesses’ Cybersecurity

The court improperly rejected Wyndham’s congressional intent argument. Relying upon the language of the Fair Credit Reporting Act (proper disposal of consumer information); the Gramm-Leach-Bliley Act (regulation of financial institutions); and the Children’s Online Privacy Protection Act (regulation of what information could be collected from children) the court determined that each statute not only authorized, but required the FTC to regulate businesses according to Congress’s direction.[15] Wyndham argued that even if the FTC’s broad regulation of cybersecurity practices was authorized by the Act, congressional action after the Act suggests that Congress excluded general cybersecurity authority from the FTC. [16] Essentially, it claimed that if the FTC already had broad authority to regulate cybersecurity, then Congress would not have had to pass this tailored legislation.[17] However, the Court held that the three bills that Congress passed were supplemental directives to its general cybersecurity authority.[18] Therefore, Congress passed those three acts so that the FTC had to act in certain circumstances, but was also authorized to act in all areas of businesses’ cybersecurity.

Congress did not Intend the FTC to Regulate All Aspects of Private Cybersecurity

The FTC did not begin bringing administrative actions against businesses until 2005. [19] By that time Congress had already passed the three statutes relied upon by the court.[20] If those bills had been passed after the FTC started bringing actions against businesses, it would show that Congress acquiesced to the FTC’s actions and provided further direction by requiring it to act in those specific circumstances. However, these bills were passed before the FTC started bringing claims against businesses; which means that Congress only intended the FTC to regulate in those specific instances. Finally, if Congress wanted to give the FTC broad cybersecurity authority over business practices, it could have done so in any of those three bills.

Congress statutorily required the FTC to start regulating certain cybersecurity practices because, until then, the FTC was not regulating cybersecurity practices. That Congress began requiring the FTC to regulate specific cybersecurity areas does not mean the FTC was already authorized to act in the broad arena of cybersecurity. Indeed, the fact that the FTC only started bringing claims in 2005 suggests that it either did not yet interpret the Act to include cybersecurity or it did not believe that it had the authority to regulate cybersecurity. Congress could have been defining what it considered to be “unfair” cybersecurity practices by requiring the FTC to act in certain instances, e.g., the regulation of the disposal of consumer information. This supports Wyndham’s argument that the FTC’s only authority over cybersecurity practices is limited to those areas. Congress likely realized the cybersecurity risks before the FTC did; although they have yet to pass a cybersecurity bill that completely addresses those risks.

Fair Notice

Wyndham’s second argument was that the FTC did not provide businesses with “ascertainable certainty” of the conduct required of them.[21] Under the Due Process Clause in the 5th Amendment of the Constitution, a statute or regulation lacks fair notice when it is too vague to give a person fair notice of what is required or allows for discriminatory enforcement.”[22] In cases of agency interpretation of a statute, a higher standard of notice—“ascertainable certainty”— is required.[23] If Wyndham acknowledged that the FTC’s prior consent decrees and its 2007 cybersecurity brochure were the FTC’s interpretations of the 45(a) statute, it would have been entitled to the “ascertainable certainty” standard. [24] However, most of Wyndham’s bad behavior was similar if not identical to the behavior of businesses that had settled with the FTC in the past; so the court would likely have ruled that there was notice.[25]

Instead, Wyndham had to argue that the past consent decrees and brochure didn’t count as interpretations and that there was no FTC interpretation that would reveal what business cybersecurity practices were considered “unfair” under the Act.[26] Ultimately, the court held that because Wyndham denied that the prior brochure and consent decrees were interpretations that would be entitled to deference, the court would interpret the statute in the first instance.[27]  But in its decision, the court erroneously concluded that Wyndham was alleging that the FTC had yet to interpret that cybersecurity practices could be an unfair business practices at all. Therefore, the court had to decide whether Wyndham had fair notice of what 45(a) required and not whether Wyndham had “ascertainable certainty” of what conduct was required from the FTC’s interpretation of the statue.[28]

Wyndham did not Receive Fair Notice of the Conduct Required

Since Wyndham denied that any previous FTC materials were interpretations, Wyndham was not entitled to “ascertainable certainty.” Rather, the court only needed to decide if Wyndham knew what 45(a) required—a very low bar to meet. However, Wyndham argued that the prior brochure and consent decrees do not “count” as interpretations.[29] In addition, Wyndham admitted to the court that the FTC had yet to decide that cybersecurity practices could be unfair.[30] The court construed these two admissions as Wyndham admitting that the FTC had not interpreted cybersecurity to be within the scope of its “unfair” practice jurisdiction.[31] However, Wyndham was merely arguing that the FTC had decided that cybersecurity was within the scope of “unfair” practices, but it had yet to give an interpretation that “counts” and sufficiently describes what kinds of cybersecurity practices were “unfair.” The fact that this case exists at all means that the FTC has decided that cybersecurity can fall under its “unfair” jurisdiction. Furthermore, Wyndham was actually requesting the court to decide if Wyndham had adequate notice of what kind of cybersecurity practices were unfair since the prior brochure and consent decrees do not “count” as interpretations of the statute.

Wyndham was trying to make a vagueness argument; claiming that the FTC is punishing businesses for breaking rules that do not formally exist yet. Assuming that the prior materials were not official interpretations, as Wyndham claimed, Wyndham could not know how the FTC would apply the statute because it had not expressed how 45(a) applies to cybersecurity practices. Finally, the court was requiring Wyndham to read into a one hundred year old statute and determine what practices the FTC may consider “unfair.” This is especially difficult considering the fact that technology is ever evolving.

From a policy standpoint, this is an inequitable result. Considering that cybersecurity is a national defense issue that Congress has yet to address, businesses should not be solely responsible for defending themselves from these attacks. It would be like putting all the blame and responsibility on Target for failing to stop a terrorist from blowing up its stores. While it may be partially Target’s fault, it is a large issue that needs to be addressed on a larger scale. Although the Federal Trade Commission Act may have been an adequate method of addressing unfair businesses practices in 1914, today the world is a lot more complicated. Holding businesses to a certain standard is permissible, but they should at least be notified as to what the standard is.

Uncertainty leaves room for arbitrary discrimination and enforcement. The absence of an explicit standard allows the FTC to decide what practices are unfair on a case-by-case basis. In addition, this uncertainty flies in the face of the traditional notions of capitalism. Instead of encouraging businesses to be innovative, the vagueness of the FTC’s authority and regulations encourages businesses to be extra cautious. Without more specific guidelines, businesses are left to fumble in the dark until someone gets caught and the rest can learn from their mistake. Although this is merely an economic penalty and not a criminal one, the right to fair notice is still a Constitutional concern. People and businesses do not deserve to be punished for conduct that they were not aware was prohibited. It not only allows for discrimination, it also inhibits freedom.

Conclusion

Although Wyndham did have a deceptive cybersecurity policy, Wyndham was not adequately aware of the standard required of it and it is unclear if Congress even gave the FTC the authority to govern all cybersecurity practices. The fact that Congress passed three specific cybersecurity bills before the FTC started bringing claims in 2005 supports Wyndham’s congressional intent argument. In addition, Wyndham could have known the practices that it had to employ by reading the FTC’s cybersecurity brochure and the prior consent decrees. However, the court agreed that those materials were not official interpretations; and therefore, Wyndham’s notice argument is much more persuasive. There should be clear cybersecurity standards for businesses and responsibility for adequate cybersecurity needs to be shouldered by both the government and by businesses.

[1] Kevin Granville, 9 Recent Cyberattacks Against Big Businesses, The New York Times (Feb. 5, 2015) available at http://www.nytimes.com/interactive/2015/02/05/technology/recent-cyberattacks.html.

[2] Jennifer Steinhauer, Cybersecurity Bill is Latest to be Delayed in Senate, The New York Times (Aug. 5, 2015) available at

http://www.nytimes.com/2015/08/06/us/politics/cybersecurity-bill-is-latest-to-be-delayed-in-senate.html.

[3] FTC v. Wyndham Worldwide Corp., No. 14-3514, 2015 U.S. App. LEXIS 14839, at *4 (3d Cir. Aug. 24, 2015).

[4] 15 U.S.C. § 45(a).

[5] FTC, No. 14-3514, U.S. App. LEXIS 14839, at *11-*12.

[6] Id.

[7] Id. at *12-*13.

[8] Id. at *14.

[9] Id. at *3.

[10] Id. at *8-*10.

[11] Id. at *9.

[12] Id. at *7.

[13] Id. at *22-*23, *36-*37.

[14] Id. at *4.

[15] Id. at *24-*25.

[16] Id. at *22.

[17] Id. at *23.

[18] Id. at *24.

[19] Id. at *3.

[20] Id. at *22-*23.

[21] Id. at *36-*37.

[22] Id. at *28; U.S. Const. Amend. V.

[23] Id.

[24] Id.

[25] Id. at *52-*53.

[26] Id. at *36-*37.

[27] Id. at *38.

[28] Id. at *39-*40.

[30] Id.

[31] Id. at *38-*40.

Advertisements

Comments are closed.