Media Center

3rd Circuit Says: FTC Can Take Action Against Companies That Suffer Data Security Breaches

August 27, 2015

Companies can be fined by the federal government for failing to properly safeguard consumer data, according to a decision this week by Pennsylvania’s federal appellate court.

The question of whether companies that are hacked can be sued by customers for damages has been hotly contested in courts around the country.  According to a recent ruling, those companies need to worry about another angle of attack: fines and enforcement actions levied by the Federal Trade Commission.

On Monday, the Third Circuit Court of Appeals released a decision allowing the FTC to punish companies that fail to properly secure their computer systems.  In Federal Trade Commission vs. Wyndham Worldwide Companies, the FTC sought authority to punish the Wyndham Hotel chain for failing to protect customer data maintained on its computer system.  Repeated hacking of that system had exposed the personally identifiable information (including payment card information) of more than 619,000 consumers, resulting in more than $10.6 million in fraud.

The FTC alleged that Wyndham’s failure to properly secure its systems from hackers amounted to an “unfair or deceptive act or practice,” as defined by the FTC Act, 15 U.S.C. § 45(n).  By law, the FTC is empowered to investigate and punish companies for such unfair practices, including by imposing fines and injunctions.

Wyndham argued that leaving its systems open to attack was not unethical or deliberate, but merely negligent, and therefore did not rise to the level of an unfair trade practice under federal law.

The Third Circuit, the federal appellate court with jurisdiction over Pennsylvania, Maryland, and Delaware, disagreed, finding:

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.

This decision has huge implications for businesses when their systems are compromised, as they now face an investigation and penalties from a federal agency, in addition to the prospect of private class action lawsuits.   The Third Circuit has vested the FTC with the power to slap these companies with substantial fines for the loss of consumer data, based on their failure to keep their data security practices up to date or properly respond to hacking incidents.

More broadly, the decision confirmed that the FTC had standing to bring an enforcement action even without evidence of actual fraud losses suffered by the consumers, finding the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.  This standing issue has been hotly contested in private litigation, with courts dismissing many consumer claims for lack of evidence that actual fraud losses were suffered once the consumers’ personally identifiable information was compromised.  The Wyndham decision may be found by other courts to offer some persuasive authority in favor of plaintiffs seeking to maintain class action lawsuits arising from data breaches.

As major data privacy breaches continue coming to light on a near-daily basis, the FTC now has broad authority to serve the public as a watchdog for data security.

And companies now have more reason than ever to protect consumer data and respond properly when they are victimized by hackers or suffer other compromises of their computerized information.

Devin J. Chwastyk practices in the litigation and data privacy groups of McNees Wallace & Nurick LLC, focusing on class actions and other complex commercial litigation, including data security and appellate litigation.