Are Merchant Cyber Security Claims Unfair And Deceptive?
Can a company’s publicly stated cybersecurity policy be so poorly implemented that it amounts to an unfair and deceptive practice that deceives consumers into handing over credit card information? The answer to this question may finally require merchants to be legally responsible for commercially reasonable cybersecurity practices.
Late in August, the federal Court of Appeals for the Third Circuit upheld the FTC’s right to sue Wyndham Corporation over its allegedly substandard cybersecurity practices. If the decision is upheld, the FTC will have the authority to mandate that corporations claiming to have commercially reasonable cybersecurity policies actually do. What a concept.
First some background. Congress empowers the FTC to prevent “unfair or deceptive acts or practices in or affecting commerce.” What exactly satisfies this standard has always been open to interpretation. In 1994, Congress codified a 1980 Policy Statement at 15 U.S.C. § 45(n), which provides, in part, that the Commission has jurisdiction where 1) an act or practice causes a substantial harm to consumers, that 2) isn’t outweighed by any countervailing benefits to consumers or competition and 3) that consumers couldn’t have themselves avoided.
On its website, hotel visitors were promised that their personal information was safeguarded using standard industry practices based on commercially reasonable efforts. At the same time, the company was victimized by three separate cyber attacks, which the FTC alleged compromised the privacy of 619,000 consumers and resulted in $10.6 million in fraud. The FTC argued that consumers had no way of knowing that they were putting their information at risk when they handed over their personal information. Wyndham challenged the FTC’s authority. It argued, among other things that it could not be found to have engaged in unfair and deceptive practices when it was the victim of these cyber attacks.
The Third Circuit flatly rejected this argument. It pointed out that the repeated cyber break-ins were foreseeable, and that the FTC alleged that Wyndham’s procedures were less than commercially reasonable.
The case is important for several reasons. First, it means that even without Congressional action, there is now one more club with which to prod merchants into taking cybersecurity more seriously. Secondly, it exposes just how cynical merchants are in arguing that there is no need for federal laws protecting cybersecurity. Clearly, they don’t like the idea of being held to commercially reasonable standards. Thirdly, the decision might act as a catalyst for getting federal cybersecurity legislation passed. If I was the CEO of a national corporation, I would much rather be subject to one set of federal cybersecurity standards than the open-ended jurisdiction of a federal regulator.