Wyndham Agrees to Settle FTC Data Security Case
After four years of litigation, this past Wednesday, Wyndham Worldwide Corporation and three of its subsidiaries (collectively, “Wyndham”) settled the Federal Trade Commission’s (“FTC”) allegations that the global hospitality company failed to protect consumers’ personal information in violation of Section 5 of the FTC Act. Between 2008 and 2009, Wyndham suffered a series of data breaches that involved the credit and debit card information of more than 600,000 hotel customers. This settlement comes at the heels of the Third Circuit Court of Appeals decision that affirmed the FTC’s authority to bring an action for lax data security practices under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. We described the appellate decision at length here (See additional coverage of the Wyndham case here and here). The settlement covers a 20-year period and does not involve a civil penalty. However, Wyndham must (1) implement and maintain a comprehensive information security program subject to annual third party audits and (2) timely provide each written audit assessment to the FTC.
Under the settlement, Wyndham must have a comprehensive information security program that is reasonably designed to protect credit and debit card information. Additionally, Wyndham must obtain third party audits of its program based on the requirements of the Payment Card Industry Data Security Standard Data (“PCI DSS”). The annual audit must include a certification of the following three (3) factors:
- whether any network at a Wyndham-branded hotel (including franchisee hotels) where there are people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data is designated as an “untrusted network,” and if the network is not treated as untrusted, whether it is included within the scope of the audit or subject to a separate audit;
- the extent of Wyndham’s compliance with each element of a risk management protocol (consistent with PCI DSS); and
- that Wyndham’s assessment was conducted by a qualified, independent auditor, free from conflicts of interest.