Many statutes authorizing regulation by executive agencies were written long before modern computer technology was invented, and even longer before hackers began exploiting weaknesses to access personal information. In the last decade, the Federal Trade Commission (FTC) has started to police companies for exposing the data they collect from consumers to the threat of breach. The Commission has primarily based this enforcement on the FTC Act1 (FTCA), which in 15 U.S.C. § 45(a) prohibits “unfair . . . practices in or affecting commerce.”2 This language has left the Commission vulnerable to challenge based on its scope of authority. Recently, in FTC v. Wyndham Worldwide Corp.,3 the Third Circuit held that certain data security practices could be considered “unfair” under § 45(a), and that the relevant provision provided Wyndham fair notice that its practices opened it up to liability. Based on the procedural posture and facts of the case, the court correctly determined that Wyndham had fair notice of its potential liability under the statute. But the court’s statutory fair notice analysis illustrated a tension between effective FTC regulation of data security practices and constitutional notice requirements. Future courts facing more difficult factual circumstances will likely have to grapple with this tension in a way the Third Circuit was able to avoid.
Wyndham Worldwide, a hospitality company that franchises and manages hotels, used a property management system that processed consumer information, including names, addresses, contact information, and credit card information.4 In 2008 and 2009, Wyndham’s network and property management systems were hacked three times.5 Hackers allegedly accessed unencrypted information for over 619,000 accounts, resulting in approximately $10.6 million in fraud loss.6
The FTC filed suit against Wyndham in the U.S. District Court for the District of Arizona in June 2012,7 claiming that the hacks were the result of unfair and deceptive practices in violation of § 45(a).8 At Wyndham’s request the case was transferred to the U.S. District Court for the District of New Jersey, and Wyndham filed a Rule 12(b)(6) motion to dismiss.9 Wyndham asserted three claims: the FTC did not have authority to bring a data security unfairness claim, violated fair notice principles by bringing an unfairness claim without first promulgating formal regulations, and insufficiently pleaded its unfairness and deception claims.10
The district court denied the motion to dismiss.11 In response to Wyndham’s first claim, the court held that FTC authority over data security could “coexist with the existing data security regulatory scheme”12 and was not, as Wyndham argued, analogous to the FDA’s claim of authority over tobacco rejected in FDA v. Brown & Williamson Tobacco Corp.13 As to Wyndham’s second claim, the court noted that agencies generally have the discretion to regulate through adjudication or rulemaking as they see fit.14 Although the court acknowledged the parties’ dispute over the applicable standard of review,15 it focused instead on the ability of the FTC’s public statements, guidance documents, and complaints and consent decrees to provide notice.16 Moreover, “a statutorily-defined standard exist[ed] for asserting an unfairness claim”17 — § 45 requires that a practice satisfy a particular cost-benefit balancing test to be declared “unfair.”18 The court also held the FTC did not need to formally promulgate rules because the proscriptions in § 45 are purposefully flexible.19 It also denied Wyndham’s third claim, finding that the agency had adequately alleged substantial consumer injury that was not reasonably avoidable by the consumers themselves.20
The Third Circuit granted interlocutory appeal on two questions: (1) whether the FTC had the authority to regulate data security under the unfairness prong of § 45(a), and (2) whether Wyndham had fair notice that its specific practices could run afoul of that provision.21 The court affirmed the district court and ruled in favor of the FTC on both questions.
Writing for the panel, Judge Ambro22 first addressed whether the FTC had authority under § 45(a) to regulate the alleged data security practices. The court began by noting that ambiguity and flexibility were purposefully built into the FTCA.23 The court dismissed Wyndham’s argument, first raised on appeal, that the alleged conduct fell outside of the plain meaning of “unfair.”24 The court also substantially reiterated the lower court’s analysis of Wyndham’s Brown & Williamson argument, finding the situations were not analogous.25
Having rejected Wyndham’s arguments that its conduct could not be unfair,26 the court turned to Wyndham’s argument that the FTC had not provided fair notice of possible liability. To ascertain which legal standard governed Wyndham’s claim, the court addressed whether the statute itself could provide notice, or whether the FTC, by issuing an interpretation of the statute, owed Wyndham notice of what conduct was required by its interpretation. If the notice derived from the statute, the relatively “lax” vagueness standard for civil statutes regulating economic activities would apply.27 On the other hand, when an agency brings an enforcement action based on its interpretation of its organic statute, the regulated party is entitled to have “ascertainable certainty” of what conduct was required or prohibited.28 To argue that the FTC’s view of its authority over data security practices was not owed any deference,29 Wyndham had consistently asserted that the FTC had not promulgated any binding interpretation of the statute.30 The court accepted this contention and concluded that the “necessary consequence” was that Wyndham was “only entitled to notice of the meaning of the statute and not to the agency’s interpretation of the statute.”31 Therefore, the court considered “whether Wyndham had fair notice that its conduct could fall within the meaning of the statute.”32
After articulating the applicable legal standard for Wyndham’s fair notice claim, the court concluded that the FTC’s previous adjudication and interpretive guidance provided the requisite notice to Wyndham that its actions could be considered “unfair” under the FTCA. The court reasoned that Wyndham was entitled to a comparatively low level of statutory notice because no constitutional rights were implicated and because the statute was civil and regulated economic activity.33 The cost-benefit analysis of § 45(n) provided the relevant statutory language. It informed Wyndham that it should consider the probability and magnitude of harms to consumers caused by its data security practices and whether these costs outweighed any savings from not employing more secure practices.34 The court noted that Wyndham was hacked three times and that its alleged security practices were specifically counseled against by FTC guidance and complaints.35 Based on these factors, the court rejected the fair notice claim.36
Wyndham marked the first time the FTC’s authority to regulate data security under the unfairness prong of § 45(a) — and its method for doing so — had been addressed by a court.37 Given the case the court was presented with, its reasoning that Wyndham had fair notice of possible liability was appropriate. Wyndham highlights the efficacy of the FTC’s enforcement scheme in the context of data security but illustrates an inherent tension with traditional precedent on fair notice. This tension will have to be resolved in cases in which the facts and procedural posture do not allow for such a tidy conclusion.
Because the court was reviewing a ruling on a Rule 12(b)(6) motion to dismiss, it accepted the truth of all factual allegations.38 Wyndham’s alleged data security practices, or lack thereof, were egregious. The FTC did not “allege that Wyndham used weak firewalls, IP address restrictions, [or] encryption software . . . . Rather, it allege[d] that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, [and] did not use any encryption for certain customer files . . . .”39 Furthermore, the company was not hacked just once, but three times, and the second and third hacks occurred after Wyndham had knowledge of the first breach.40 As the court found, Wyndham could reasonably have anticipated its actions would not pass the cost-benefit analysis of § 45(n),41 even without FTC interpretation.
In addition, Wyndham tried to argue that the FTC had not interpreted the FTCA but that the company was still entitled to the fair notice standard designated for enforcement based on binding agency interpretations. In arguing that no deference was owed to the FTC’s view that it had authority over data security under the unfairness prong of § 45(a), Wyndham asserted that the Commission had not promulgated a binding interpretation of the FTCA in this area.42 Once the court found the FTC had statutory authority, Wyndham’s argument worked against it. The court could “accept Wyndham’s forceful contention” that it did not have to address whether the FTC had interpreted the statute and could therefore analyze the fair notice inquiry based on the statute itself.43 The court contained its inquiry to the statutory language and the lower threshold for notice rather than delving into Chevron analysis or concerns regarding retroactive application of agency interpretations.44
The Third Circuit’s embrace of Wyndham’s argument allowed it to avoid wading into both an ongoing regulatory process45 and a debate about how the FTC should best regulate this field.46 Rather than engage in notice-and-comment rulemaking, as some academics have urged,47 the Commission has focused on adjudication since it began regulating data security practices under its unfairness authority in 2005, primarily settling with companies under consent orders.48 Using this strategy, the Commission can enforce baseline standards, as it did here, while retaining the intentional flexibility built into its organic statute.49 Data security is a moving target, with companies constantly using data in new ways and facing myriad potential threats.50 Specific rules would fail “to offer a touchstone for guiding privacy decisionmaking in new contexts, as new types of products, technologies, and business models evolve.”51 Importantly, the FTC provides guidance in parallel with its enforcement activity. In addition to previous complaints issued as part of consent decrees,52 the Third Circuit relied on the Commission’s guidebook, which detailed specific practices that were not followed by Wyndham.53 Since Wyndham was first hacked, the FTC has continued hosting conferences, publishing reports, and soliciting public comment on its consent decrees.54 Furthermore, reflecting the ethos of self-regulation that has characterized this field,55 industry standards have developed that further inform companies about what practices are considered reasonable.56 Reliance on informal interpretations allows the FTC to respond to developments in the market, and forces both the Commission and the companies it regulates to focus on what is most important — consumer protection against known and new threats — rather than simple compliance with specified rules. The court’s analysis of how Wyndham could have relied on statutory language and interpretive guidance demonstrates how this enforcement approach might work practically for companies.
However, elements of the statutory fair notice analysis highlight the tension between the FTC’s enforcement and the traditional notice requirements to which agencies are held. In particular, the court pointed out that economic statutes “receive a ‘less strict’ test because their ‘subject matter is often more narrow, and because businesses . . . can be expected to consult relevant legislation in advance of action.’”57 Decades of FTC enforcement have demonstrated that the FTCA does not in fact have a narrow reach.58 And while the court found that Wyndham could have foreseen that its actions would be considered unfair under the § 45(n) cost-benefit analysis,59 companies challenging FTC action in the future are more likely to present borderline cases dealing with less obviously reckless practices that do not so clearly fall within the statute and available (nonbinding) FTC interpretations.
It is these cases that present the problem.60 In most of the cases that have addressed fair notice challenges to administrative actions, such as environmental or vehicle-safety regulation,61 the agency could promulgate rules without fear of the rules becoming immediately outdated.62 In contrast, fair notice is particularly thorny for the FTC in the data security context. If the FTC were to promulgate rules flexible enough for changing circumstances, these rules would necessarily be so vague as to not give significantly more notice than the status quo. Alternatively, if the FTC were to promulgate specific rules, those rules would likely not adequately address the full array of practices companies must implement to effectively secure consumer data. Therefore, the “ascertainable certainty” for regulated entities that courts might require could be incompatible with effective FTC policing of data security practices.63
The Third Circuit was able to avoid the problems that may arise in marginal cases because its role in this case was confined to the facts as alleged and the arguments as presented. The court’s analysis shows that the statute, supplemented by persuasive guidance from the FTC, provides sufficient notice in easy cases where companies’ data security practices are clearly unreasonable. However, FTC enforcement of less obviously unreasonable practices, which could not rest on statutory notice alone, will require future courts to address how the agency can continue its consumer-protection-focused enforcement while giving companies the necessary notice of the standards to which they will be held.