On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, and now this ratification by the Third Circuit, are far-reaching.

After oral argument in March 2015, it appeared that the Third Circuit might be questioning just how far the FTC’s unfairness authority extends.  One of Wyndham’s arguments, articulated in its motion to dismiss that was in front of District Judge Esther Salas, was that the Congress never intended to allow the FTC to use the unfairness prong of its authority to reach negligent behavior that was not additionally fraudulent.  Judge Salas disagreed with that argument, noting during oral arguments that if Congress had not intended the FTC to wield such power, Congress would have acted years ago when it saw the FTC overstepping its authority.  During oral arguments in front of the Third Circuit, Circuit Judge Thomas L. Ambro seemed to back Wyndham’s argument, stating that the FTC was meant to use its authority to pursue routine fraud cases, and not those involving the outer limits of consumer harm.  The decision, though, makes clear that the Third Circuit does not believe that the FTC has overstepped its authority in its regulation of unfair data security practices.

First, the court addresses Wyndham’s argument, raised on appeal, that the plain meaning of the word “unfair” imposes requirements not met by the facts of this particular case.  The Third Circuit disagreed and found that the alleged conduct did not fall outside of the plain meaning of “unfair.”

Next, Wyndham argued that Congress’ recent enactment of legislation requiring the FTC to implement data security regulation in several specific contexts – under the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act – would be wholly unnecessary if the FTC already had the general authority to regulate cybersecurity. The court found independent reasons that Congress had for enacting the recent legislation and determined that “none of the recent privacy legislation was ‘inexplicable’ if the FTC already had some authority to regulate corporate cybersecurity through § 45(a) [of the FTC Act].”

The Third Circuit further found that “Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a).”  Instead, Wyndham was only entitled to have fair notice that “its conduct could fall within the meaning of the statute.”  The court concluded that Wyndham had such fair notice.

The Third Circuit’s ruling will provide support for the FCC’s July 9, 2015, settlement in TerraCom, Inc. and YourTel America. There, the FCC held that – even absent a prior rule – it had the inherent power under the Communication Act of 1934 to fine the carriers $3.5 million for failure to protect confidential information they received from more than 300,000 consumers.