Wyndham’s settlement with the FTC: What it means for businesses – and consumers

Share This Page

Data security watchers read with interest the United States Court of Appeals’ decision earlier this year in FTC v. Wyndham, upholding the FTC’s authority to challenge allegedly lax data security practices under the unfairness prong of the FTC Act. We view that ruling as a milestone victory for consumers and for companies of all sizes that are committed to keeping customers’ personal information secure. Now there’s another big development in the FTC’s law enforcement action against Wyndham and you’ll want to be among the first to know.

Just to recap, the FTC sued Wyndham and three subsidiaries in 2012, alleging that data security failures led to three breaches in less than two years. According to the complaint, hackers infiltrated the network of a Wyndham franchisee and then exploited lax security on Wyndham’s corporate network to grab sensitive consumer data from dozens of other Wyndham franchisees. Those breaches resulted in the transfer of account data about hundreds of thousands of consumers to a website registered in Russia – and millions of dollars of fraudulent charges on consumers’ credit and debit cards. The district court ruled that the FTC had the authority to challenge Wyndham’s conduct under the FTC Act. The Third Circuit heard an immediate appeal of that legal issue and ruled in the FTC’s favor

Today, the FTC and Wyndham announced a proposed settlement in the case. You’ll want to read the order for the details, but check out these provisions of note.

Under Part I of the proposed Order, the company must establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years.

Furthermore, the Order requires Wyndham to specifically consider risks arising from network connections between Wyndham-branded hotels and the corporate data center. The FTC sees that as an essential provision because the breaches alleged in the complaint arose from weaknesses in those connections.

Part II of the Order requires Wyndham to get an annual independent assessment under the Payment Card Industry Data Security Standard – most businesses know it as PCI DSS – an industry standard for entities that accept credit cards. But it doesn’t end there. Part II includes additional provisions to beef up what’s required under the PCI DSS. These additional provisions include requiring an independent third-party auditor to certify that:

  • Wyndham safeguards the connections with its franchisee hotels;
  • Wyndham engages in a comprehensive risk assessment as laid out in the PCI-DSS risk assessment guidelines; and
  • The auditor is truly independent from Wyndham.

If the independent assessment required by Part II establishes that Wyndham is in full compliance, the FTC will consider it to be in compliance with the comprehensive information security program required by Part I also. All bets are off, however, if Wyndham in any way deceives the auditor or significantly changes the system after the audit.

What’s the legacy of FTC v. Wyndham?  First, the Court of Appeals’ decision affirms the FTC’s use of Section 5 to challenge unreasonable data security practices.  Second, the lessons of this case – and the FTC’s 50+ other data security settlements – offer guidance to other businesses about building sensible security into your day-to-day operations.

The FTC has free resources to help companies start with security.

 

Comments

This could be a real game changer. My only worry is that the FTC has to be clear about what kinds of violations will lead to an enforcement action and also what kind of level of effort is enough to avoid becoming a named party. The last thing that is needed is another arbitrary regulatory risk.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.