In a much anticipated decision, the Third Circuit recently upheld the Federal Trade Commission’s exercise of authority to fine and take other measures against businesses that fail to abide by the “standard of care” for data security. Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514 (3d Cir. Aug. 24, 2015). Wyndham challenged the FTC’s actions arguing that negligent security practices were not an “unfair practice” and that the FTC failed to provide adequate notice of what constituted the standard of care in this context. The Third Circuit, like the trial court before it, disagreed. It held that Wyndham’s negligent data security practices were an “unfair” business practice under 15 U.S.C. § 45(a), otherwise known as § 5 of the FTC Act, because it “publishe[d] a privacy policy to attract customers who are concerned about data privacy, fail[ed] to make good on that promise by investing inadequate resources in cyber security, and thereby expose[d] its unsuspecting customers to substantial financial injury, and retains the profits of their business.”
The Third Circuit rejected Wyndham’s due process, lack of notice of standard of care argument, holding that Wyndham was not entitled to know with ascertainable certainty the FTC's interpretation of what cyber security practices are required by § 45(a) – to know what practices are required by the standard of care. The Court explained that Wyndham had adequate notice of the standard of care because § 45(n) of the Act defines it using usual tort cost-benefit analysis. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir.1947). Nothing more is required to satisfy due process concerns in this context.
Prior to the Wyndham decision, courts generally held that the economic loss rule precludes a claim for negligent data security practices. E.g., Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 967-973 (S.D. Cal. 2014) (dismissing such claims under both Massachusetts and California law on the basis of lack of a “special relationship”). The question remains open whether Wyndham defines a special relationship and tort duty that would preclude application of the economic loss rule. Keep an eye on this space for further developments.