Are Merchant Cyber Security Claims Unfair And Deceptive?

September 9, 2015 at 9:06 am 1 comment

Can a company’s publicly stated cybersecurity policy be so poorly implemented that it amounts to an unfair and deceptive practice that deceives consumers into handing over credit card information?  The answer to this question may finally require merchants to be legally responsible for commercially reasonable cybersecurity practices.

Late in August, the federal Court of Appeals for the Third Circuit upheld the FTC’s right to sue Wyndham Corporation over its allegedly substandard cybersecurity practices.  If the decision is upheld, the FTC will have the authority to mandate that corporations claiming to have commercially reasonable cybersecurity policies actually do.  What a concept.

First some background.  Congress empowers the FTC to prevent “unfair or deceptive acts or practices in or affecting commerce.”  What exactly satisfies this standard has always been open to interpretation.  In 1994, Congress codified a 1980  Policy Statement at 15 U.S.C. § 45(n), which provides, in part, that the Commission has jurisdiction where 1) an act or practice causes a substantial harm to consumers, that 2) isn’t outweighed by any countervailing benefits to consumers or competition and 3) that  consumers couldn’t have themselves avoided.

On its website, hotel visitors were promised that their personal information was safeguarded using standard industry practices based on commercially reasonable efforts.  At the same time, the company was victimized by three separate cyber attacks, which the FTC alleged compromised the privacy of 619,000 consumers and resulted in $10.6 million in fraud. The FTC argued that consumers had no way of knowing that they were putting their information at risk when they handed over their personal information.  Wyndham challenged the FTC’s authority.  It argued, among other things  that it could not be found to have engaged in unfair and deceptive practices when it was the victim of these cyber attacks.

The Third Circuit flatly rejected this argument.  It pointed out that the repeated cyber break-ins were foreseeable, and that the FTC alleged that  Wyndham’s procedures were less than commercially reasonable.

The case is important for several reasons.  First, it means that even without Congressional action, there is now one more club with which to prod merchants into taking cybersecurity more seriously.  Secondly, it exposes just how cynical merchants are in arguing that there is no need for federal laws protecting cybersecurity.  Clearly, they don’t like the idea of being held to commercially reasonable standards.  Thirdly, the decision might act as a catalyst for getting federal cybersecurity legislation passed.  If I was the CEO of a national corporation, I would much rather be subject to one set of federal cybersecurity standards than the open-ended jurisdiction of a federal regulator.

Entry filed under: Legal Watch. Tags: .

Why Are Bankers Irate? Why You’re Chained To The Bitcoin

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 442 other followers

Archives