By Steven Caponi
As part of our ongoing effort to advise clients on significant developments in cybersecurity that are likely to impact their businesses, we have been actively reporting on the case of in FTC v. Wyndham Worldwide Corporation, et al., pending before U.S. District Judge Esther Salas in New Jersey. In April of this year we issued a client alert discussing the much anticipated April 7, 2014, decision by Judge Salas, which rejected a direct challenge to the Federal Trade Commission’s (“FTC”) authority to police corporate cybersecurity practices.
In a surprising development, on June 23, 2014, Judge Salas issued a Memorandum Opinion and Order granting Wyndham’s motion seeking immediate appellate review of the April 7 decision—without holding oral argument. Judge Salas’ reasons for supporting Wyndham’s request to file an appeal are instructive and suggest the FTC’s authority to act as the nation’s chief cybersecurity enforcement agency is far from resolved. Following a careful analysis, the Court acknowledged that if its interpretation the FTC’s authority was incorrect, it would represent reversible error on appeal, requiring a grant of Wyndham’s motion to dismiss. …”
The FTC had sued Wyndham in New Jersey based, in part, on the belief the FTC possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Moving to dismiss the action, Wyndham argued Congress, not the FTC, is the proper body to regulate cybersecurity and the FTC had failed to publish rules or regulations providing companies with fair notice of what protections are expected or acceptable.
In what was seen as a complete victory for the FTC, Judge Salas rejected Wyndham’s narrow interpretation of the FTC’s Section 5 powers. The Court concluded that Congress had vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to issue of fair notice, the Court concluded the FTC was not required to formally publish regulations on cybersecurity before bringing an enforcement action. Judge Salas noted that “courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”
To many, what was striking about Judge Salas’ April 7 decision was the manner in which Wyndham’s arguments were quickly dispatched in a straightforward and authoritative fashion. There appeared to be no equivocation or hesitation in the ruling. This led many commentators to suggest the legality of the FTC’s Section 5 powers was no longer seriously in doubt. So it came as a surprise when Judge Salas issued the June 23 Opinion granting the request to seek an interlocutory appeal and acknowledging the prior ruling may not necessarily be correct.
To place the most recent Opinion in context, it is important to note, as did Judge Salas, that “interlocutory certification should be used sparingly and that the District Court should serve as a diligent gatekeeper to prevent premature and piecemeal appeals.” Historically district and appellate courts have routinely relied upon this logic to quickly deny the vast majority of requests for interlocutory appeal. Before a party can seek an interlocutory appeal, it must first demonstrate under 28 U.S.C. § 1292(b): (i) there is a controlling issues of law; (ii) there is substantial ground for difference of opinion; and (iii) an immediate appeal may materially advance the ultimate determination of the litigation. Even if, however, all three criteria under Section 1292(b) are met, Judge Salas noted “the district court may still deny certification, as the decision is entirely within the district court’s discretion.”
In this instance, Judge Salas concluded all three prongs of Section 1292(b) had been satisfied. With regard to the first prong, the Court noted the April 7 decision involved two controlling issues of law: the FTC’s powers under Section 5 to regulate cybersecurity practices and whether the FTC must “formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.” The Court further concluded an immediate appeal may advance the ultimate termination of the litigation because it would potentially reduce the scope of a trial, resolve complex issues before trial, and materially narrow the scope of discovery.
For those who have been “handicapping” the likelihood the FTC’s interpretation of its Section 5 powers will prevail, Judge Salas concluded Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.” Citing Reese v. BP Exploration (Alaska) Inc., 643 F.3d 681, 688 (9th Cir. 2011), the Court held this standard was met because the April 7 decision involved “novel legal issues…on which fair-minded jurists might reach contradictory conclusions.”
Although resolute in her prior ruling, by recognizing other “fair minded jurists” may reach a different conclusion, Judge Salas has sent a clear, cautionary message that the FTC’s authority to regulate cybersecurity practices is not a foregone conclusion. At this juncture, all eyes will be on the Third Circuit Court of Appeals to see if they grant Wyndham’s request for an interlocutory appeal and, if so, how they ultimately rule on the issues identified by Judge Salas. Even after the Third Circuit acts, the scope of the FTC’s authority will not have been definitely decided. For as noted in the June 23 Opinion, “fair minded jurists” sitting in districts outside the Third Circuit and other circuit courts of appeals may reach a different conclusion.