The US Court of Appeals for the Third Circuit issued its ruling in FTC v. Wyndham Worldwide Corp. in which it found that the FTC has the authority to regulate in the area of cybersecurity.
While the opinion does not specifically address the employment relationship, it is has very important implications for employment lawyers.
In the litigation, the FTC argued that the hotel chain, which had been subject to three data breaches and a loss of over 600,000 consumer records, was engaged in unfair trade practices by not better protecting the data in its care. Specifically, the FTC alleged that Wyndham violated both the deception and unfairness prongs of Section 5(a) of the Federal Trade Commission Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). They alleged this “in connection with [Wyndham’s] failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The court wrote:
In addition, the court addressed Wyndham’s contention that it was not on notice of the FTC’s cybersecurity rules it was meant to follow. (Hang tight…I am getting to employment law in a minute).
The court rejected the argument that Wyndham was not properly on notice of the rules on a number of grounds, including the presence of published FTC consent decrees which specifically addressed cybersecurity:
Before the attacks, the FTC also filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity… The agency published these materials on its website and provided notice of proposed consent orders in the Federal Register. Wyndham responds that the complaints cannot satisfy fair notice principles because they are not “adjudications on the merits.” But even where the “ascertainable certainty” standard applies to fair notice claims, courts regularly consider materials that are neither regulations nor “adjudications on the merits.” ….That the FTC commissioners—who must vote on whether to issue a complaint…believe that alleged cybersecurity practices fail the cost-benefit analysis of § 45(n) certainly helps companies with similar practices apprehend the possibility that their cybersecurity could fail as well.
Was Wyndham on notice? As the FTC suggested at oral arguments, “any careful general counsel should be looking at what the FTC is doing.”
So now let’s turn to employment law. As I have argued elsewhere:
The FTC also routinely holds employers accountable for failing to properly train employees on cybersecurity when cybersecurity failures are deemed to be unfair trade practices, that is, promising a secure product and not delivering on that promise.
Wyndham tell us that the FTC has the authority to regulate cybersecurity and its published consent decrees are adequate notice to regulated companies. Since the FTC has routinely held employers liable for failing to properly train employees on cybersecurity, there should be no mistake about the applicability of Wyndham to the employment law world.
And that is news that makes it clear that that any careful employment counsel should, in fact, be looking at what the FTC is doing.