Cyber liability issues are omnipresent in today’s business world. Target, Home Depot, Anthem and Ashley Madison represent just a few recent examples. On Monday, the Third Circuit United States Court of Appeals addressed this issue, making it clear that the Federal Trade Commission (FTC) may take action against organizations that have subpar IT protocols. Based on this ruling, an organization’s potential exposure has multiplied.
Many companies, large or small, are at risk for substantial private civil litigation as a result of a data breach. The FTC’s authority provides for civil claims by the FTC – and substantial fines. In other words, the FTC just became the cyber police (at least in the Third Circuit).
Of interest, is Wyndham Worldwide Corporation. On three occasions in 2008 and 2009, hackers successfully accessed Wyndham’s computer systems. Personal and financial information for hundreds of thousands of consumers was stolen and more than $10.6 million in fraudulent charges resulted.
Based on these data breaches, the FTC brought an enforcement action against Wyndham. Wyndham requested the trial court dismiss the case, arguing that the FTC had no authority to regulate cyber security. The trial court refused and Wyndham appealed. The Third Circuit also rejected Wyndham’s arguments and used fairly strong language in doing so. It stated the FTC can sanction businesses for “unfair or deceptive acts or practices” that affect commerce. In its decision this week, the Court ruled unequivocally that the breach of Wyndham’s systems is precisely the type of “unfair or deceptive practice” the FTC is charged with stopping. Based on this ruling, Wyndham now must face the merits of the FTC’s lawsuit in a trial court.
So, what does this mean for business owners and potential exposure for a cyber attack? It means that in addition to potential civil actions, including class action claims, an FTC enforcement action can be looming. The breadth and scope of an FTC enforcement action is, as one would expect, quite broad.
As stated above, the FTC just became the cyber police. Business owners should make cyber security the highest of priorities.
A complete copy of the Third Circuit’s opinion (Federal Trade Commission v. Wyndham Worldwide Corporation, United States Court of Appeals for the 3rd Circuit, Case No. 14-3514, (August 24, 2015) can be found here.