The US Court of Appeal for the Third Circuit has confirmed the Federal Trade Commission’s (FTC) authority to take action against a private company for poor IT security practices under § 45(a) of the FTC Act, on the basis that they are “unfair or deceptive acts or practices in or affecting commerce”.
Wyndham (a hotel chain) had suffered a number of significant data breaches, and the FTC alleged that these were made possible by poor IT security practices, including storing payment information without encryption, failing to maintain and enforce IT security policies on hotel sites connecting to its central system, and failing to apply appropriate ‘incident response’ procedures.
Wyndham raised several arguments in support of its claim that the FTC’s “unfairness” authority did not extend to regulating data security:
- Wyndham argued that conduct is only unfair when it injures consumers through “unscrupulous or unethical behaviour”. The Court rejected this argument on the basis that these requirements are not part of the statutory meaning of “unfair”.
- Wyndham argued that it could not be taken to have treated its customers in an unfair manner when the business itself was also the victim of criminals’ activity. Again, the Court disagreed with this contention. The Court also held that a business could be subject to an unfairness claim even where the company’s conduct was not the proximate cause of an injury, as long as the company’s conduct facilitated the most proximate cause and the outcome was reasonably foreseeable.
The Court sent the case back to the US District Court to determine whether Wyndham’s security measures were indeed “unfair” within the meaning of the Act.