Complaint Holds Wyndham Hotels Accountable for Alleged Data Security Flaws at Independent Franchisee Locations

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a lawsuit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries (the Defendants”) alleging that the companies engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 independently-owned Wyndham-branded hotels with whom the Defendants maintained franchise agreements.

The Complaint, filed in U.S. District Court in Arizona, claims that the Defendants’ failure to implement reasonable data security safeguards at the franchisee locations allowed computer hackers to breach franchisee computer systems and the Wyndham hotel data center on three separate occasions and access the financial account information for more than 600,000 hotel customers. The Complaint also claims that the Defendants’ privacy policy misrepresented the extent to which the company protected consumers personal information. The Complaint seeks injunctive relief to prevent future violations of the FTC Act by the Defendants, as well as monetary relief for the affected hotel customers.

The FTC’s Complaint is significant for two reasons. One, it represents the first time that the FTC will litigate its theory as to whether an entity’s privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act (past FTC cases have resulted in pre-litigation settlements or informal closings of investigations). Two, the lawsuit reflects the FTC’s position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.