FTC Complaint Holds Wyndham Hotels Accountable for Alleged Data Security Flaws at Independent Franchisee Locations

Kelley Drye Client Advisory

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a lawsuit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries (the Defendants”) alleging that the companies engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 independently-owned Wyndham-branded hotels with whom the Defendants maintained franchise agreements.  The Complaint, filed in U.S. District Court in Arizona, claims that the Defendants’ failure to implement reasonable data security safeguards at the franchisee locations allowed computer hackers to breach franchisee computer systems and the Wyndham hotel data center on three separate occasions and access the financial account information for more than 600,000 hotel customers.  The Complaint also claims that the Defendants’ privacy policy misrepresented the extent to which the company protected consumers personal information.  The Complaint seeks injunctive relief to prevent future violations of the FTC Act by the Defendants, as well as monetary relief for the affected hotel customers.

Notably, the FTC’s Complaint targets the Defendants, rather than the independently-owned franchisee locations where several of the breaches occurred, on the premise that the Defendants controlled the acts and practices” at issue at each franchisee location.  According to the Complaint:

  • The Defendants maintained direct control over each franchisee’s information technology and data security function and required each franchisee to purchase and configure to Defendants’ specifications a property management computer system used to manage reservations, room inventory, and process hotel guests’ payment card transactions;
  • The Defendants established all rules and password requirements that allowed franchisee employees to access the hotel IT systems; and
  • The Defendants hired employees to administer the franchisee hotels’ computer networks, and provided technical support to resolve any issues with each franchisee’s property management system.

In exchange for the Defendants’ IT services and the connection to the Defendants’ computer network, the franchisees paid a fee to the Defendants.

According to the Complaint, the data security protections put in place by the Defendants at the franchisee locations were inadequate and unreasonably and unnecessarily” exposed consumers’ personal data to unauthorized access and theft.  The FTC also claims that the data security features at the franchisee locations contradicted the Defendants’ privacy policy which claimed that the companies employed commercially reasonable efforts to create and maintain fire walls’ and other appropriate safeguards. . . .”

Specific data security flaws alleged by the FTC include as follows:

  • Failing to employ firewalls to limit access between and among the franchisees, the Wyndham data network, and the Internet;
  • Failing to ensure that franchisees implemented adequate security procedures before connecting to the Wyndham network;
  • Allowing franchisees to connect non-secure servers (including servers that could not receive security updates or patches) to the Wyndham network;
  • Failing to require franchisees to employ complex passwords that hackers could not easily guess; and
  • Failing to remedy known security vulnerabilities on franchisee servers that were connected to Defendants’ computer network.

The FTC claims that the lack of sufficient data security protections allowed hackers to access the Wyndham data center on three separate occasions between April 2008 and January 2010.  In the first instance, the Commission claims that hackers gained unauthorized access to anArizonafranchisee’s local computer network that was connected to the Defendants’ computer network.  The hackers were then able to guess the user ID and password of an administrator account, giving them unrestricted access to the property management systems at other franchisee locations.  The Complaint states that, during the course of the three breaches, the hackers obtained payment card account numbers, expiration dates, and security codes for more than 619,000 customers, and then exported a large portion of the account information to a domain registered in Russia.  According to the FTC, the breaches resulted in more than $10.6 million in fraudulent charges to the compromised customer accounts.

The FTC’s Complaint is significant for two reasons.  One, it represents the first time that the FTC will litigate its theory as to whether an entity’s privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act1 (past FTC cases have resulted in pre-litigation settlements or informal closings of investigations).  Two, the lawsuit reflects the FTC’s position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.  Kelley Drye will continue to follow this case closely, and will address relevant updates on adlawac​cess​.com.

Kelley Drye & Warren LLP

Kelley Drye & Warren’s Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients’ customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

For more information about this advisory, contact:

Dana Rosenfeld
(202) 342-8588
drosenfeld@​kelleydrye.​com

Alysa Hutnik
(202) 342-8603
ahutnik@​kelleydrye.​com

1 The standard for deception” under Section 5 is whether a material representation would mislead a reasonable consumer.  The standard for unfairness” is whether the alleged conduct caused substantial injury to consumers, which the consumers could not reasonably avoid, and which was not offset by benefits to the consumers or competition.