Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding privacy regulation
August 27, 2015 |
When, or even if, the Privacy Commissioner exercises his powers under the Privacy Act in relation to poor privacy policies and standards it could do worse than consider some of the US Federal Trade Commission (the “FTC”) litigation as well as ACCC cases. That would require the Privacy Commissioner to do that which he has steadfastly refused or failed to do to date.
The FTC has had a very significant win in the US Court of Appeals for the Third Circuit in Federal Trade Commission v Wyndom Worldwide Corporation & ors. The Court of Appeal has affirmed the FTC’s jurisdiction to regulate and enforce data security. The FTC alleges that Wyndham failed to reasonably protect consumers personal information. The basis of the claim is section 5 of the Federal Trade Commission which prohibits unfair acts or practices.
The FTC listed the deficiencies in Wyndom’s privacy and security structure as being:
These problems are depressingly familiar,
The Court of Appeal also made clear that the claim does not have to based on actual injury suffered but rather likely injury. That can be a significant matter in privacy regulation. The Court of Appeal stated:
Although unfairness claims “usually involve actual and completed harms,” Int’l Harvester, 104 F.T.C. at 1061, “they may also be brought on the basis of likely rather than actual injury,” id. at 1061 n.45. And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs. 15 U.S.C. § 45(n) (“[An unfair act or practice] causes or is likely to cause substantial injury” (emphasis added)). More importantly, that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harms. See Restatement (Second) of Torts § 449 (1965) (“If the likelihood that a third person may act in a particular manner is the hazard or one of the hazards which makes the actor negligent, such an act[,] whether innocent, negligent, intentionally tortious, or criminal[,] does not prevent the actor from being liable for harm caused thereby.”); Westfarm Assocs. v. Wash. Suburban Sanitary Comm’n, 66 F.3d 669, 688 (4th Cir. 1995) (“Proximate cause may be found even where the conduct of the third party is . . . criminal, so long as the conduct was facilitated by the first party and reasonably foreseeable, and some ultimate harm was reasonably foreseeable.”). For good reason, Wyndham does not argue that the cybersecurity intrusions were unforeseeable. That would be particularly implausible as to the second and third [hacking] attacks [that Wyndham experienced].
The applicability of the detailed analysis in the decision is not directly relevant to the Australian context. There is a longstanding body of law involving civil penalty proceedings in the Federal Court. That said the Corporations or Consumer law decisions are not directly applicable to privacy and data protection claims. There would need to a different formulation of such claims. In that respect the manner in which the claim is framed in these US cases may be of use.
The FTC media release provides:
Federal Trade Commission Chairwoman Edith Ramirez issued the following statement in response to a ruling today by the U.S. Court of Appeals for the Third Circuit, regarding the FTC’s case against Wyndham Hotels and Resorts for allegedly failing to reasonably protect consumers’ personal information:
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Today’s decision affirms a federal district court ruling, which upheld the FTC’s authority to bring data security cases under the provision of Section 5 of the FTC Act that outlaws unfair acts or practices in or affecting commerce.
[…] Federal Trade Commission v Wyndom; the FTC has significant win in the US Court of Appeal regarding p… […]