The FTC has authority to sue companies for failure to maintain proper cyber security practices as “unfair” practices.

In this matter, the Third Circuit found that the FTC has authority to regulate cyber security as “unfair” practices under Section 45(a) of the Federal Trade Commission Act (Section 45(a)). The defendant, a hotel chain, experienced cyber security breaches on three separate occasions, exposing hundreds of thousands of consumers’ personal and financial information to hackers. As a result, the FTC filed a lawsuit in District Court against the defendant, alleging the defendant’s conduct related to its lack of cyber security protection was an “unfair” practice under Section 45(a). In asserting its claim, the FTC pointed to a number of issues with the defendant’s cyber security practices, including its failure to update its operating systems, lack of secure passwords, and its failure to limit the access of third-party vendors to its network. The District Court ruled in favor of the FTC, finding that it has authority to regulate companies’ cyber security measures. In upholding that decision, the Third Circuit held that proving “unfair” practices under Section 45(a) does not require a showing of unethical or unscrupulous conduct and can include cyber security practices. The court further noted that, just because the defendant was also a victim of the cyber crimes of others, did not make it immune to liability to the FTC.

_{Case Law Alerts, 4^th Quarter, October 2015}

_{Case Law Alerts is prepared by Marshall Dennehey Warner Coleman & Goggin to provide information on recent legal developments of interest to our readers. This publication is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Copyright © 2015 Marshall Dennehey Warner Coleman & Goggin, all rights reserved. This article may not be reprinted without the express written permission of our firm.}