Third Circuit Weighs Novel Cybersecurity Case

Five years ago, Russian hackers broke into the Wyndham Hotels computer network and stole the credit card information for thousands of customers, a security breach that has now put the novel question of whether the Federal Trade Commission (FTC) can sue a company for failing to properly secure its data in front of the Third Circuit.

After the FTC filed a suit against the hotel chain, invoking its authority under federal law to patrol unfair business practices, Wyndham responded that its cybersecurity system is outside the realm of the FTC's regulatory reach. Beyond that, Wyndham argued, the FTC hadn't given notice about what the law would require with regard to corporate data-security practices.

Wyndham lost its motion to dismiss in the District of New Jersey and filed an interlocutory appeal with the U.S. Court of Appeals for the Third Circuit.

Judge Thomas Ambro and Senior Judges Anthony Scirica and Jane Roth heard arguments last month.

Getting to the basic question of the reach conferred by that section of the FTC law, which Ambro termed “issue zero,” he asked the FTC's counsel: “Has Congress entrusted the FTC with declaring new practices unfair in the first instance?”

Joel Marcus, for the FTC, answered: “Congress certainly entrusted the FTC with defining the scope of unfairness. And ' Congress has also ' given the FTC a choice between proceeding in the first instance as an administrative matter, that's under Section 5 of the FTC Act, or proceeding under Section 13(b), codified as Section 53(b),” which allows the commission to bring a suit in federal court.

Earlier, Ambro had asked Wyndham's lawyer, Eugene Assaf of Kirkland & Ellis in Washington, DC, to address “whether the FTC can bring this action under 53(b) in the first place ' without declaring that unreasonable cybersecurity practices are unfair through an administrative process, either by rulemaking or internal adjudication.”

Assaf cited to case law from the Seventh and Ninth circuits and a line of district court cases that have built in the direction of allowing the commission to bring a case in the federal district courts alleging a violation of the FTC law in the first instance.

“So, against this backdrop ' I kept my powder dry on 13(b) because I don't think I should convince the court to create a circuit split. ' Plus, as a prudential matter, we actually thought about this, and I would prefer to be in federal court in front of Article III judges, as opposed to the agency,” Assaf said.

“Isn't that the real answer?” Ambro asked.

Since 1995, only one defendant has prevailed in front of the agency, Assaf said. “So, yes, as former litigators, I like my chances better in front of life-tenured Article III judges.”

Later, when Marcus was in front of the panel, he explained that “the agency often exercises its discretion to proceed under Section 13(b) because there are remedies available to the commission in federal court that are not available to the commission in the administrative process.”

The FTC had, essentially, alleged that Wyndham's insufficient data-security system had allowed for the multiple cybersecurity breaches that led to the theft of thousands of credit card numbers.

Assaf had told the court there hasn't been a single case that has held that a showing of negligence is enough to sustain an unfair trade practices suit.

But, Ambro cited to several related cases, and said: “Aren't you really on notice that these are the types of things that are really troubling the FTC, in this new area that changes, seemingly, every month ' cybersecurity?”

Saranac Hale Spencer writes for The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy, in which this article originally appeared. She can be reached at [email protected]. Follow her on Twitter @SSpencerTLI.

Five years ago, Russian hackers broke into the Wyndham Hotels computer network and stole the credit card information for thousands of customers, a security breach that has now put the novel question of whether the Federal Trade Commission (FTC) can sue a company for failing to properly secure its data in front of the Third Circuit.

After the FTC filed a suit against the hotel chain, invoking its authority under federal law to patrol unfair business practices, Wyndham responded that its cybersecurity system is outside the realm of the FTC's regulatory reach. Beyond that, Wyndham argued, the FTC hadn't given notice about what the law would require with regard to corporate data-security practices.

Wyndham lost its motion to dismiss in the District of New Jersey and filed an interlocutory appeal with the U.S. Court of Appeals for the Third Circuit.

Judge Thomas Ambro and Senior Judges Anthony Scirica and Jane Roth heard arguments last month.

Getting to the basic question of the reach conferred by that section of the FTC law, which Ambro termed “issue zero,” he asked the FTC's counsel: “Has Congress entrusted the FTC with declaring new practices unfair in the first instance?”

Joel Marcus, for the FTC, answered: “Congress certainly entrusted the FTC with defining the scope of unfairness. And ' Congress has also ' given the FTC a choice between proceeding in the first instance as an administrative matter, that's under Section 5 of the FTC Act, or proceeding under Section 13(b), codified as Section 53(b),” which allows the commission to bring a suit in federal court.

Earlier, Ambro had asked Wyndham's lawyer, Eugene Assaf of Kirkland & Ellis in Washington, DC, to address “whether the FTC can bring this action under 53(b) in the first place ' without declaring that unreasonable cybersecurity practices are unfair through an administrative process, either by rulemaking or internal adjudication.”

Assaf cited to case law from the Seventh and Ninth circuits and a line of district court cases that have built in the direction of allowing the commission to bring a case in the federal district courts alleging a violation of the FTC law in the first instance.

“So, against this backdrop ' I kept my powder dry on 13(b) because I don't think I should convince the court to create a circuit split. ' Plus, as a prudential matter, we actually thought about this, and I would prefer to be in federal court in front of Article III judges, as opposed to the agency,” Assaf said.

“Isn't that the real answer?” Ambro asked.

Since 1995, only one defendant has prevailed in front of the agency, Assaf said. “So, yes, as former litigators, I like my chances better in front of life-tenured Article III judges.”

Later, when Marcus was in front of the panel, he explained that “the agency often exercises its discretion to proceed under Section 13(b) because there are remedies available to the commission in federal court that are not available to the commission in the administrative process.”

The FTC had, essentially, alleged that Wyndham's insufficient data-security system had allowed for the multiple cybersecurity breaches that led to the theft of thousands of credit card numbers.

Assaf had told the court there hasn't been a single case that has held that a showing of negligence is enough to sustain an unfair trade practices suit.

But, Ambro cited to several related cases, and said: “Aren't you really on notice that these are the types of things that are really troubling the FTC, in this new area that changes, seemingly, every month ' cybersecurity?”

Saranac Hale Spencer writes for The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy, in which this article originally appeared. She can be reached at [email protected]. Follow her on Twitter @SSpencerTLI.