After much anticipation, the Third Circuit heard oral arguments (audio) last Tuesday in the interlocutory appeal in FTC v. Wyndham Worldwide Corp. We have written previously about this case, which likely will be a significant one in the privacy and data-security field. At issue is whether Section 5 of the FTC Act authorizes the FTC to regulate data security at all, as well as what constitutes “unfairness” in the data-security context. The case may have a large impact on future FTC enforcement actions and major implications for class action litigation.
But after all the build up, the panel of the Third Circuit hearing argument might change the script. Questioning by the judges (Thomas Ambro, Jane Roth, and Anthony Scirica) indicated that the panel was seriously considering a ruling that the FTC should have brought any unfairness claim in an FTC administrative action in the first instance (as it did in the LabMD action), not in federal district court. If that happens, we will have to wait even longer to learn whether the federal courts agree with the FTC’s views on the scope and contours of its unfairness authority in the data-security context.
Counsel for the FTC and for Wyndham spent large portions of the oral argument emphasizing the positions they had briefed. Wyndham’s counsel, for example, argued at length that negligence alone cannot satisfy an “unfairness” standard, that businesses had not received adequate notice of what triggers such liability, and that the FTC had not adequately alleged substantial injury. But the panel may not reach those issues. Instead, the court focused on the threshold question of whether the FTC had the authority in the first place to sue in federal court under Section 13(b) of the FTC Act. That section permits “the Commission [to] seek, and after proper proof, the court [to] issue, a permanent injunction,” but limits such relief to “proper cases.”
Is the Wyndham action a “proper case”? According to the FTC—which invoked decisions of the Ninth Circuit and the Seventh Circuit for support—it is “proper” to sue whenever the FTC alleges a violation of a law that the FTC enforces. For its part, Wyndham did not disagree, instead arguing that such a rule would have practical benefits—including that, in its view, the company would get a fairer shake in federal court than in an FTC administrative action. But the Third Circuit panel appeared to be unconvinced on this point, and focused instead on whether a case presenting novel and complex issues should first be brought in an administrative action. In fact, the panel asked the parties to provide supplemental briefing on the point.
It is always perilous to read the tea leaves after an oral argument. But it is an understatement to say that the Third Circuit’s panel was dropping some hints, especially by requesting further briefing on whether the FTC action belongs in federal court. There is therefore a substantial possibility that the court will send the action to the FTC for administrative adjudication in the first instance.
That result would serve to underscore a point we have made before—that post hoc litigation is a poor way to impose data-security standards. Litigation moves forward in fits and starts, and by its nature is unlikely to produce clear rules or standards in complex areas like data security. In short, it is an unpredictable and expensive method of forging broadly applicable standards. All stakeholders—both businesses and their consumers and employees—are likely to suffer from a lack of meaningful direction if data-security standards are generated via litigation. With the cyber threat continuing to grow—from garden-variety hackers to sophisticated operations that may be sponsored by foreign governments—consensus-based standard setting is far more likely to provide practical guidance for American businesses that seek to protect private information, intellectual property, and business-critical systems from the continuing cyber onslaught.