Which Way is the “Wyndham” Blowing? Cyber Regulation After FTC vs. Wyndham

Does the Third Circuit’s recent decision in FTC v. Wyndham Worldwide Corp. usher in a new era of enforcement by the FTC and other federal agencies regarding cybersecurity practices? Regardless of the answer, it is important to note what this new decision does not do. It does not set a judicial standard for adequate cybersecurity practices. And it did not rule on the merits on the FTC’s substantive allegations. Instead, the federal appellate court decision opines only on the principle of the FTC’s authority to regulate cybersecurity practices under the “unfair practices” prong of its statutory authority – and not the sufficiency of its allegations, a topic that will go back to the district court.

In this case, the FTC sued Wyndham, alleging that the company’s conduct in connection with several system intrusions was an “unfair practice” as defined by the FTC and that its privacy policy was deceptive. The district court denied Wyndham’s motion to dismiss, and allowed interlocutory appeal of two issues: whether the FTC (1) has authority under Section 5 of the FTC Act to regulate cybersecurity practices, and (2) provided adequate notice of what it considers “unfair” in this area. The Third Circuit affirmed – greenlighting in principle the FTC’s authority to police cybersecurity practices, but not opining on the propriety of any particular standard or whether Wyndham violated such a standard.

The appellate court decision validates the FTC’s tough stance on the scope of its regulatory authority. This ruling and the reality of ever-increasing cyberattacks and risks will likely embolden agencies at the federal and state levels to take more action. Because cybersecurity has attracted increasing public attention, various agencies will want to be seen as vigilantly protecting personal data and critical business and organizational information and operations.

Agencies have used and will continue to use existing regulations to flex their muscles. New regulations are certain to emerge. Some rules and laws invoked to enforce cybersecurity standards may not even have the word “cyber” in them – as evidenced, for example, by the FTC’s reliance on the unfair and deceptive practices language of its statutory authority. In addition, there may be more pressure for consensus about and refinement of baseline standards against which to measure an entity’s cybersecurity.

This dynamic underscores the need for a business or organization to stay up to date on both formal and informal agency guidance in order to steer clear of costly enforcement actions. It is important for any business or organization to know what agency or agencies regulate it and be familiar with their pronouncements. This is particularly the case since the nature of an agency’s authority and its interest in invoking it can vary. An agency’s position or possible stance on cybersecurity can take the form of regulations, informal publications and guidance, press releases about recent settlements and consent decrees, and resources available on agency websites. These sources can provide guidance as to the agency’s expectations for data security. Trade associations also provide and serve as resources to help determine what laws and regulations impact a particular industry.

All businesses and organizations have many powerful reasons to identify their assets vulnerable to cyberattack and to bolster their cybersecurity systems and procedures. Beyond its direct holding, this Wyndham decision signals the increased role that regulations from multiple stakeholder agencies will undoubtedly play in the data security decisions that businesses and organizations will and must make.

Molly McGinnis Stine is a Partner and John F. Kloecker is Of Counsel in Locke Lord’s Chicago office. They can be reached at mmstine@lockelord.com and jkloecker@lockelord.com.‎