OPINION OF THE COURT
The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.
On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation’s computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham’s motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision. 1 We affirm the District Court.
1. Background
A. Wyndham’s Cybersecurity
Wyndham Worldwide is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries. 2 Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndhambranded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Wyndham “manage[s]” these systems and requires the hotels to “purchase and configure” them to its own specifications. Compl. at ¶ 15, 17. It also operates a computer network in Phoenix, Arizona, that connects its data center with the property management systems of each of the Wyndham-branded hotels.
The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Id. at ¶ 24. This claim is fleshed out as follows.
1. The company allowed Wyndhambranded hotels to store payment card information in clear readable text.
2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.” Id. at ¶ 24(f).
4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” Id. at ¶ 24(c). Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled ..., which were easily available to hackers through simple Internet searches.” Id. And, because it failed to maintain an “adequate[] inventory [of] computers connected to [Wyndham’s] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks. Id. at ¶ 24(g).
5. Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndhambranded hotels. Id. at ¶ 24(j). For example, it did not “restrict[] connections to specified IP addresses or grant[] temporary, limited access, as necessary.” Id.
6. It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.” Id. at 1124(h).
7. It did not follow “proper incident response procedures.” Id. at ¶ 24(i). The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.
Although not before us on appeal, the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company’s cybersecurity.
We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information — such as credit card numbers, online forms, and financial data — from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards....
Id. at If 21. The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
B. The Three Cybersecurity Attacks
As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then
In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered “memory-scraping malware” used in the previous attack on more than thirty hotels’ computer systems. Id. at ¶ 34. The FTC asserts that, due to Wyndham’s “failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months.” Id. In this second attack, the hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.
Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account on one of its networks. Because Wyndham “had still not adequately limited access between ... the Wyndham-branded hotels’ property management systems, [Wyndham’s network], and the Internet,” the hackers had access to the property management servers of multiple hotels. Id. at ¶ 37. Wyndham only learned of the intrusion in January 2010 when a credit card company received complaints from cardholders. In this third attack, hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels.
The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit,” Id. at ¶ 40, and that they “expended time and money resolving fraudulent charges and mitigating subsequent harm.” Id.
C. Procedural History
The FTC filed suit in the U.S. District Court for the District of Arizona in June 2012 claiming that Wyndham engaged in “unfair” and “deceptive” practices in violation of § 45(a). At Wyndham’s request, the Court transferred the case to the U.S. District Court for the District of New Jersey. Wyndham then filed a Rule 12(b)(6) motion to dismiss both the unfair practice and deceptive practice claims. The District Court denied the motion but certified its decision on the unfairness claim for interlocutory appeal. We granted Wyndham’s application for appeal.
II. Jurisdiction and Standards of Review
The District Court has subject-matter jurisdiction under 28 U.S.C. §§ 1331, 1337(a), and 1345. We have jurisdiction under 28 U.S.C. § 1292(b).
We have plenary review of a district court’s ruling on a motion to dismiss for failure to state a claim under Rule 12(b)(6).
Farber v. City of Paterson,
III. FTC’s Regulatory Authority Under § 45(a)
A. Legal Background
The Federal Trade Commission Act of 1914 prohibited “unfair methods of competition in commerce.” Pub.L. No. 63-203, § 5, 38 Stat. 717, 719 (codified as amended at 15 U.S.C. § 45(a)). Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ ... by enumerating the particular practices to which it was intended to apply.”
FTC v. Sperry & Hutchinson Co.,
After several early cases limited “unfair methods of competition” to practices harming competitors and not consumers,
see, e.g., FTC v. Raladam Co.,
For the next few decades, the FTC interpreted the unfair-practices prong primarily through agency adjudication. But in 1964 it issued a “Statement of Basis and Purpose” for unfair or deceptive advertising and labeling of cigarettes, 29 Fed.Reg. 8324, 8355 (July 2, 1964), which explained that the following three factors governed unfairness determinations:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise — whether, in other words, it is within at least the penumbra of some common-law, statutory or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes substantial injury to consumers (or competitors or other businessmen).
Id.
Almost a decade later, the Supreme Court implicitly approved these factors, apparently acknowledging their applicability to contexts other than cigarette advertising and labeling.
Sperry,
During the 1970s, the FTC embarked on a controversial campaign to regulate children’s advertising through the unfair-practices prong of § 45(a). At the request of Congress, the FTC issued a second policy statement in 1980 that clarified the three factors. FTC Unfairness Policy Statement, Letter from the FTC to Hon. Wendell Ford and Hon. John Danforth, Senate Comm, on Commerce, Sci., and Transp. (Dec. 17, 1980),
appended to Int’l Harvester Co.,
[t]o justify a finding of unfairness the injury must satisfy three tests. [1] It must be substantial; [2] it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and [3] it must be an injury that consumers themselves could not reasonably have avoided.
Id.
In 1994, Congress codified the 1980 Policy Statement at 15 U.S.C. § 45(n):
The Commission shall have no authority under this section ... to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.
FTC Act Amendments of 1994, Pub.L. No. 103-312, § 9, 108 Stat. 1691, 1695. Like the 1980 Policy Statement, § 45(n) requires substantial injury that is not reasonably avoidable by consumers and that is not outweighed by the benefits to consumers or competition. It also acknowledges the potential significance of public policy and does not expressly require that an unfair practice be immoral, unethical, unscrupulous, or oppressive.
B. Plain Meaning of Unfairness
Wyndham argues (for the first time on appeal) that the three requirements of 15 U.S.C. § 45(n) are necessary but insufficient conditions of an unfair practice and that the plain meaning of the word “unfair” imposes independent requirements that are not met here. Arguably, § 45(n) may not identify all of the requirements for an unfairness claim. (While the provision forbids the FTC from declaring an act unfair “unless” the act satisfies the three specified requirements, it does not answer whether these are the only requirements for a finding of unfairness.) Even if so, some of Wyndham’s proposed requirements are unpersuasive, and the rest are satisfied by the allegations in the FTC’s complaint.
First, citing
FTC v. R.F. Keppel & Brother, Inc.,
Next, citing one dictionary, Wyndham argues that a practice is only “unfair” if it is “not equitable” or is “marked by injustice, partiality, or deception.” Wyndham Br. at 18-19 (citing Webster’s Ninth New Collegiate Dictionary (1988)). Whether these are requirements of an unfairness claim makes little difference here. A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
We recognize this analysis of unfairness encompasses some facts relevant to the FTC’s deceptive practices claim. But facts relevant to unfairness and deception claims frequently overlap.
See, e.g., Am. Fin. Sens. Ass’n v. FTC,
Continuing on, Wyndham asserts that a business “does not treat its customers in an ‘unfair’ manner when the business
itself
is victimized by criminals.” Wyndham Br. at 21 (emphasis in original). It offers no reasoning or authority for this principle, and we can think of none ourselves. Although unfairness claims “usually involve actual and completed harms,”
Int’l Harvester,
Finally, Wyndham posits a
reductio ad absurdum,
arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to “regulate the locks on hotel room doors, ... to require every store in the land to post an armed guard at the door,” Wyndham Br. at 23, and to sue supermarkets that are “sloppy about sweeping up banana peels,” Wyndham Reply Br. at 6.
We are therefore not persuaded by Wyndham’s arguments that the alleged conduct falls outside the plain meaning of “unfair.”
C. Subsequent Congressional Action
Wyndham next argues that, even if cybersecurity were covered by § 45(a) as initially enacted, three legislative acts since the subsection was amended in 1938 have reshaped the provision’s meaning to exclude cybersecurity. A recent amendment to the Fair Credit Reporting Act directed the FTC and other agencies to develop regulations for the proper disposal of consumer data.
See
Pub.L. No. 108-159, § 216(a), 117 Stat. 1952, 1985-86 (2003) (codified as amended at 15 U.S.C. § 1681w). The Gramm-Leach-Bliley Act required the FTC to establish standards for financial institutions to protect consumers’ personal information.
See
Pub.L. No. 106-102, § 501(b), 113 Stat. 1338, 1436-37 (1999) (codified as amended at 15 U.S.C. § 6801(b)). And the Children’s Online Privacy Protection Act ordered the FTC to promulgate regulations requiring children’s websites, among other things, to provide notice of “what information is collected from children ..., how the operator uses such information, and the operator’s disclosure practices for such information.” Pub.L. No. 105-277, § 1303, 112 Stat. 2681, 2681-730-732 (1998) (codified as amended at 15 U.S.C. § 6502).
6
Wyndham contends these “tailored grants of substantive authority to the FTC in the cybersecurity field would be inexplicable if the Commission already had general substantive authority over this field.” Wyndham Br. at 25. Citing
FDA v. Brown & Williamson Tobacco Corp.,
We are not persuaded. The inference to congressional intent based on post-enactment legislative activity in
Brown & Williamson
was far stronger. There, the Food and Drug Administration had repeatedly disclaimed regulatory authority over tobacco products for decades.
Id.
at 144,
We disagree that Congress lacked reason to pass the recent legislation if the FTC already had regulatory authority over some cybersecurity issues. The Fair Credit Reporting Act requires (rather than authorizes) the FTC to issue regulations, 15 U.S.C. § 1681w (“The Federal Trade Commission ... shall issue final regulations requiring....” (emphasis added)); id. § 1681m(e)(l)(B) (“The [FTC and other agencies] shall jointly ... prescribe regulations requiring each financial institution. ...” (emphasis added)), and expands the scope of the FTC’s authority, id. § 1681s(a)(l) (“[A] violation of any requirement or prohibition imposed under this subchapter shall constitute an unfair or deceptive act or practice in commerce ... and shall be subject to enforcement by the [FTC] ... irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests under the [FTC] Act.”). The Gramm-Leach-Bliley Act similarly requires the FTC to promulgate regulations, id. § 6801(b) (“[The FTC] shall establish appropriate standards for the financial institutions subject to [its] jurisdiction.... ”), and relieves some of the burdensome § 45(n) requirements for declaring acts unfair, id. § 6801(b) (“[The FTC] shall establish appropriate standards ... to protect against unauthorized access to or use of ... records ... which could result in substantial harm or inconvenience to any customer.” (emphasis added)). And the Children’s Online Privacy Protection Act required the FTC to issue regulations and empowered it to do so under the procedures of the Administrative Procedure Act, id. •§ 6502(b) (citing 5 U.S.C. § 553), rather than the more burdensome Magnuson-Moss procedures under which the FTC must usually issue regulations, 15 U.S.C; § 57a. Thus none of the recent privacy legislation was “inexplicable” if the FTC already had some authority to regulate corporate cybersecurity through § 45(a).
Next, Wyndham claims that the FTC’s interpretation of § 45(a) is “inconsistent with its repeated efforts to obtain from Congress the very authority it purports to wield here.” Wyndham Br. at 28. Yet again we disagree. In two of the statements cited by Wyndham, the FTC clearly said that some cybersecurity practices are “unfair” under the statute.
See Consumer Data Protection: Hearing Before the Sub-comm. on Commerce, Mfg. & Trade of the H. Comm, on Energy & Commerce,
In the two other cited statements, given in 1998 and 2000, the FTC only acknowledged that it cannot require companies to adopt “fair information practice policies.”
See
FTC,
Privacy Online: Fair Information Practices in the Electronic Marketplace
— A
Report to Congress
34 (2000) [hereinafter
Privacy Online]; Privacy in Cyberspace: Hearing Before the Subcomm. on Telecomms., Trade & Consumer Prot. of the H. Comm, on Commerce,
Having rejected Wyndham’s arguments that its conduct cannot be unfair, we assume for the remainder of this opinion that it was.
IV. Fair Notice
A conviction or punishment violates the Due Process Clause of our Constitution if the statute or regulation under which it is obtained “fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.”
FCC v. Fox Television Stations, Inc.,
— U.S. -,
A. Legal Standard
The level of required notice for a person to be subject to liability varies by circumstance. In
Bouie v. City of Columbia,
the Supreme Court held that a “judicial construction of a criminal statute” violates due process if it is “unexpected and indefensible by reference to the law which had been expressed prior to the conduct in issue.”
The fair notice doctrine extends to civil cases, particularly where a penalty is imposed.
See Fox Television Stations, Inc.,
A different set of considerations is implicated when agencies are involved in statutory or regulatory interpretation. Broadly speaking, agencies interpret in at least three contexts. One is where an agency administers a statute without any special authority to create new rights or obligations. When disputes arise under this kind of agency interpretation, the courts give respect to the agency’s view to the extent it is persuasive, but they retain the primary responsibility for construing the statute.
10
As such, the standard of notice afforded to litigants about the meaning of the statute is not dissimilar to the standard of notice for civil statutes generally
The second context is where an agency exercises its authority to fill gaps in a statutory scheme. There the agency is primarily responsible for interpreting the statute because the courts must defer to any reasonable construction it adopts.
See Chevron, U.S.A., Inc. v. Natural Res. Def. Council, Inc.,
The third context is where an agency interprets the meaning of its own regulation. Here also courts typically must defer to the agency’s reasonable interpretation.
11
We and several of our sister circuits have stated that private parties are entitled to know with “ascertainable certainty” an agency’s interpretation of its regulation.
Sec’y of Labor v. Beverly Healthcare-Hillview,
A higher standard of fair notice applies in the second and third contexts than in the typical civil statutory interpretation case because agencies en
Furthermore, courts generally resolve statutory ambiguity by applying traditional methods of construction. Private parties can reliably predict the court’s interpretation by applying the same methods. In contrast, an agency may also rely on technical expertise and political values. 14 -It is harder to predict how an agency will construe a statute or regulation at some unspecified point in the future, particularly when that interpretation will depend on the “political views of the President in office at [that] time.” Strauss, supra at 1147. 15
Wyndham argues it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by § 45(a). Yet it has contended repeatedly — no less than seven separate occasions in
this
case — that there is no FTC rule or adjudication about cybersecurity that merits deference here. The necessary implication, one that Wyndham itself has explicitly drawn on two occasions noted below, is that federal courts are to interpret § 45(a) in the first
Wyndham’s argument has focused on the FTC’s motion to dismiss order in
LabMD,
an administrative case in which the agency is pursuing an unfairness claim based on allegedly inadequate cybersecurity.
LabMD Order, supra.
Wyndham first argued in the District Court that the
LabMD Order
does not merit
Chevron
deference because “selfiserving, litigation-driven decisions ... are entitled to no deference at all” and because the opinion adopted an impermissible construction of the statute. Wyndham’s January 29, 2014 Letter at 1-2,
FTC v. Wyndham Worldunde Corp.,
Second, Wyndham switched gears in its opening brief on appeal to us, arguing that LabMD does not merit Chevron deference because courts owe no deference to an agency’s interpretation of the “boundaries of Congress’ statutory delegation of authority to the agency.” Wyndham Br. at 19-20.
Third, in its reply brief it argued again that LabMD does not merit Chevron deference because it adopted an impermissible construction of the statute. Wyndham Reply Br. at 14.
Fourth, Wyndham switched gears once more in a Rule 28(j) letter, arguing that
LabMD
does not merit
Chevron
deference because the decision was nonfinal. Wyndham’s February 6, 2015 Letter (citing
LabMD, Inc. v. FTC,
Fifth, at oral argument we asked Wyndham whether the FTC has decided that cybersecurity practices are unfair. Counsel answered: “No. I don’t think consent decrees count, I don’t think the 2007 brochure counts, and I don’t think Chevron deference applies. So are ... they asking this federal court in the first instance ... [?] I think the answer to that question is yes.... ” Oral Arg. Tr. at 19.
Sixth, due to our continuing confusion about the parties’ positions on a number of issues in the case, we asked for supplemental briefing on certain questions, including whether the FTC had declared that cybersecurity practices can be unfair. In response, Wyndham asserted that “the FTC has not declared unreasonable cybersecurity practices ‘unfair.’ ” Wyndham’s Supp. Memo, at 3. Wyndham explained further: “It follows from [our] answer to [that] question that the FTC is asking the federal combs to determine in the first instance that unreasonable cybersecurity practices qualify as ‘unfair’ trade practices under the FTC Act.” Id. at 4.
Seventh, and most recently, Wyndham submitted a Rule 28(j) letter arguing that
LabMD
does not merit
Chevron
deference because it decided a question of “deep economic and political significance.” Wyndham’s June 30, 2015 Letter (quoting
King v. Burwell,
— U.S. -,
Wyndham’s position is unmistakable: the FTC has not yet declared that cybersecurity practices can be unfair; there is no relevant FTC rule, adjudication or document that merits deference; and the FTC is asking the federal courts to interpret § 45(a) in the first instance to decide whether it prohibits the alleged conduct here. The implication of this position is similarly clear: if the federal courts are to decide whether Wyndham’s conduct was unfair in the first instance under the statute without deferring to any FTC interpretation, then this case involves ordinary judicial interpretation of a civil statute, and the ascertainable certainty standard does not apply. The relevant question is not whether Wyndham had fair notice of the
FTC’s interpretation
of the statute, but
Indeed, at oral argument we asked Wyndham whether the cases cited in its brief that apply the “ascertainable certainty” standard — all of which involve a court reviewing an agency adjudication
16
or at least a court being asked to defer to an agency interpretation
17
— apply where the court is to decide the meaning of the statute in the first instance.
18
Wyndham’s counsel responded, “I think it would, your Honor. I think if you go to
Ford Motor [Co. v. FTC,
In addition, our understanding of Wyndham’s position is consistent with the District Court’s opinion, which concluded that the FTC has stated a claim under § 45(a) based on the Court’s interpretation of the statute and without any reference to
LabMD
or any other agency adjudication or regulation.
See FTC v. Wyndham Worldwide Corp.,
B. Did Wyndham Have Fair Notice of the Meaning of § 45(a)?
Having decided that Wyndham is entitled to notice of the meaning of the statute, we next consider whether the case should be dismissed based on fair notice principles. We do not read Wyndham’s briefs as arguing the company lacked fair notice that cybersecurity practices can, as a general matter, form the basis of an unfair practice under § 45(a). Wyndham argues instead it lacked notice of what specific cybersecurity practices are necessary to avoid liability. We have little trouble rejecting this claim.
To begin with, Wyndham’s briefing focuses on the FTC’s failure to give notice of its interpretation of the statute and does not meaningfully argue that the statute itself fails fair notice principles. We think it imprudent to hold a 100-year-old statute unconstitutional as applied to the facts of this case when we have not expressly been asked to do so.
Moreover Wyndham is entitled to a relatively low level of statutory notice for several reasons. Subsection 45(a) does not implicate any constitutional rights here.
Vill. of Hoffman Estates v. Flipside, Hoffman Estates, Inc.,
In this context, the relevant legal rule is not “so vague as to be ‘no rule or standard at all.’ ”
CMR D.N. Corp.,
What appears to us is that Wyndham’s fair notice claim must be reviewed as an as-applied challenge.
See United States v. Mazurie,
Wyndham’s as-applied challenge falls well short given the allegations in the FTC’s complaint. As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, Compl. at ¶ 24(a), did not restrict specific IP addresses at all, id. at ¶ 24(j), did not use any encryption for certain customer files, id. at ¶ 24(b), and did not require some users to change' their default or factory-setting passwords at all, id. at ¶ 24(f). Wyndham did not respond to this argument in its reply brief.
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.
Several other considerations reinforce our conclusion that Wyndham’s fair notice challenge fails. In 2007 the FTC issued a guidebook,
Protecting Personal Information: A Guide for Business,
FTC Response Br. Attachment 1 [hereinafter
FTC Guidebook
], which describes a “checklist[ ]” of practices that form a “sound data security plan.”
Id.
at 3. The guidebook does not state that any particular practice is required by § 45(a),
21
but it does counsel against many of the specific practices alleged here. For instance, it recommends that companies “consider encrypting sensitive information that is stored on [a] computer network ... [, cjheck ... software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches.”
Id.
at 10. It recommends using “a firewall to protect [a] computer from hapker attacks while it is connected to the
As the agency responsible for administering the statute, the FTC’s expert views about the characteristics of a “sound data security plan” could certainly have helped Wyndham determine in advance that its conduct might not survive the cost-benefit analysis.
Before the attacks, the FTC also filed complaints and entered into consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity. FTC Br. at 47 n.16. The agency published these materials on its website and provided notice of proposed consent orders in the Federal Register. Wyndham responds that the complaints cannot satisfy fair notice principles because they are not “adjudications on the merits.”
22
Wyndham Br. at 41. But even where the “ascertainable certainty” standard applies to fair notice claims, courts regularly consider materials that are neither regulations nor “adjudications on the merits.”
See, e.g., United States v. Lachman,
■ Wyndham also argues that, even if the individual allegations are not vague, the complaints “fail to spell out what specific cybersecurity practices ... actually triggered the alleged violation, ... providing] only a ... description of certain alleged problems that,
‘taken together,’”
fail the cost-benefit analysis. Wyndham Br. at 42 (emphasis in original). We part with it on two fronts. First, even if the complaints do not specify which allegations, in the Commission’s view, form the necessary and sufficient conditions of the alleged violation, they can still help companies apprehend the possibility of liability under the statute. Second, as the Table below showá, Wyndham cannot argue that the complaints fail to give notice of the necessary and sufficient conditions of an alleged § 45(a) violation when all of the allegations in at least one of the relevant four or five complaints have close corollaries here.
See
Complaint,
CardSystems Solutions, Inc.,
No. C-4168,
Table: Comparing CSS and Wyndham Complaints
CSS
1Created unnecessary risks to personal information by storing it in a vulnerable format for up to 30 days, CSS at ¶ 6(1)._
2Did not adequately assess the vulnerability of its web application and computer network to commonly known or reasonably foreseeable attacks; did not implement simple, low-cost and readily available defenses to such attacks, CSS at ¶ 6(2)-(3)._
3Failed to use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network, CSS at ¶ 6(4).
4Did not use readily available security measures to limit access between computers on its network and between those computers and the Internet, CSS at ¶ 6(5).
5Failed to employ sufficient measures to detect unauthorized access to personal infor
Allowed software at hotels to store payment card information in clear readable text, Compl. at ¶ 24(b)._
Failed to monitor network for the malware used in a previous intrusion, Compl. at ¶ 24(i), which was then reused by hackers later to access the system again, id. at ¶ 34.
Did not employ common methods to require user IDs and passwords that are difficult for hackers to guess. E.g., allowed remote access to a hotel’s property management system that used defaulVfactory setting passwords, Compl. at ¶ 24(f)._
Did not use readily available security measures, such as firewalls, to limit access between and among hotels’ property management systems, the Wyndham network, and the Internet, Compl. at ¶ 24(a)._
Failed to employ reasonable measures to detect and prevent unauthorized access to
In sum, we have little trouble rejecting Wyndham’s fair notice claim.
V. Conclusion
The three requirements in § 45(n) may be necessary rather than sufficient conditions of an unfair practice, but we are not persuaded that any other requirements proposed by Wyndham pose a serious challenge to the FTC’s claim here. Furthermore, Wyndham repeatedly argued there is no FTC interpretation of § 45(a) or (n) to which the federal courts must defer in this case, and, as a result, the courts must interpret the meaning of the statute as it applies to Wyndham’s conduct in the first instance. Thus, Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform. Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case.
We thus affirm the District Court’s decision.
Notes
. On appeal, Wyndham also argues that the FTC fails the pleading requirements of an unfairness claim. As Wyndham did not request and we did not grant interlocutory appeal on this issue, we decline to address it.
. In addition to Wyndham Worldwide, the defendant entities are Wyndham Hotel Group, LLC, Wyndham Hotels and Resorts, LCC, and Wyndham Hotel Management, Inc. For con, venience, we refer to all defendants jointly as Wyndham.
. Id. ("[Petitioner] argues that ... [the 1964 statement] commits the FTC to the view that misconduct in respect of the third of these criteria is not subject to constraint as ‘unfair’ absent a concomitant showing of misconduct according to the first or second of these criteria. But all the FTC said in the [1964] statement ... was that '[t]he wide variety of decisions interpreting the elusive concept of unfairness at least makes clear that a method of selling violates Section 5 if it is exploitive or inequitable and if, in addition to being morally objectionable, it is seriously detrimental to consumers or others.’ ” (emphasis and some alterations in original, citation omitted)).
. The FTC has on occasion described deception as a subset of unfairness.
See Int’l Harvester Co.,
. No doubt there is an argument that con- . sumers could not reasonably avoid injury even absent the misleading privacy policy. See, e.g., James P. Nehf, Shopping for Privacy Online: Consumer Decision-Making Strategies and the Emerging Market for Information Privacy, 2005 U. 111. J.L. Tech. & Pol’y. 1 (arguing that consumers may care about data privacy, but be unable to consider it when making credit card purchases). We have no occasion to reach this question, as the parties have not raised it.
. Wyndham also points to a variety of cybersecurity bills that Congress has considered and not passed. “[S]ubsequent legislative history ... is particularly dangerous ground on which to rest an interpretation of a prior statute when it concerns ... a proposal that does not become law.”
Pension Benefit Guar. Corp.
v.
LTV Corp.,
. We do not read Wyndham's briefing as raising a meaningful argument under the "discriminatory enforcement” prong. A few sentences in a reply brief are not enough. See Wyndham Reply Br. at 26 ("To provide the notice required by due process, a statement must in some sense declare what conduct the law proscribes and thereby constrain enforcement discretion.... Here, the consent decrees at issue ... do not limit the Commission's enforcement authority in any way.” (citation omitted)).
. See Ortiz v. N.Y.S. Parole,
.
See also Bongiovanni,
.
See Skidmore v. Swift & Co.,
.
See Auer
v.
Robbins,
.
See also Wis. Res. Prot. Council v. Flam-beau Mining Co.,
.See Nat’l Cable & Telecomms. Ass’n v. Brand X Internet Servs.,
.
See Garfias-Rodriguez v. Holder,
.
See also Brand X Internet Servs.,
.
See Fox Television Stations, Inc.,
- U.S. -,
.
See In re Metro-East Mfg. Co.,
. We asked, “All of your cases on fair notice pertain to an agency’s interpretation of its own regulation or the statute that governs that agency. Does this fair notice doctrine apply where it is a court announcing an interpretation of a statute in the first instance? ” Oral Arg. Tr. at 60 (emphases added).
. To the extent Wyndham could have raised this argument, we do not read its briefs to do so. Indeed, its opening brief appears to repudiate the theory. Wyndham Br. at 38-39 ("The district court below framed the fair notice issue here as whether 'the FTC must formally promulgate regulations before bringing its unfairness claim.’ With all respect, that characterization of Wyndham’s position is a straw man. Wyndham has never disputed the general principle that administrative agencies have discretion to regulate through either rulemaking or adjudication.
See,, e.g., [Bell Aerospace Co.,
. While civil statutes containing "quasi-criminal penalties may be subject to the more stringent review afforded criminal statutes,”
Ford Motor Co.,
. For this reason, we agree with Wyndham that the guidebook could not, on its own, provide "ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices fail § 45(n). But as we have already explained, this is not the relevant question.
. We agree with Wyndham that the consent orders, which admit no liability and which focus on prospective requirements on the defendant, were of little use to it in trying to understand the specific requirements imposed by § 45(a).
. We recognize it may be unfair to expect private parties back in 2008 to have examined FTC complaints or consent decrees. Indeed, these may not be the kinds of legal documents they typically consulted. At oral argument we asked how private parties in 2008 would have known to consult them. The FTC’s only answer was that "if you’re a careful general counsel you do pay attention to what the FTC is doing, and you do look at these things.” Oral Arg. Tr. at 51. We also asked whether the FTC has "informed the public that it needs to look at complaints and consent decrees for guidance,” and the Commission could offer no examples.
Id.
at 52. But Wyndham does not appear to argue it was unaware of the consent decrees and complaints; it claims only that they did not give notice of what the law requires. Wyndham Reply Br. at 25 ("The fact that the FTC publishes these materials on its website and provides notice in the Federal Register, moreover, is immaterial — the problem is not that Wyndham lacked notice
of the consent decrees
[which reference the complaints] but that consent decrees [and presumably complaints] by their nature do not give notice
of what
. The FTC asserts that five such complaints issued prior to the first attack in April 2008. See FTC Br. at 47-48 n.16. There is some ambiguity, however, about whether one of them issued several months later. See Complaint, TJX Co., No. C-4227 (FTC 2008) (stating that the complaint was issued on July 29, 2008). We note that this complaint also shares significant parallels with the allegations here.