Wyndham Agrees to Settle FTC Data Security Case

ftc-sues-hotel-chain-for-card-breaches-imageFile-a-4900After four years of litigation, this past Wednesday, Wyndham Worldwide Corporation and three of its subsidiaries (collectively, “Wyndham”) settled the Federal Trade Commission’s (“FTC”) allegations that the global hospitality company failed to protect consumers’ personal information in violation of Section 5 of the FTC Act. Between 2008 and 2009, Wyndham suffered a series of data breaches that involved the credit and debit card information of more than 600,000 hotel customers. This settlement comes at the heels of the Third Circuit Court of Appeals decision that affirmed the FTC’s authority to bring an action for lax data security practices under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. We described the appellate decision at length here (See additional coverage of the Wyndham case here and here). The settlement covers a 20-year period and does not involve a civil penalty. However, Wyndham must (1) implement and maintain a comprehensive information security program subject to annual third party audits and (2) timely provide each written audit assessment to the FTC.

Under the settlement, Wyndham must have a comprehensive information security program that is reasonably designed to protect credit and debit card information. Additionally, Wyndham must obtain third party audits of its program based on the requirements of the Payment Card Industry Data Security Standard Data (“PCI DSS”). The annual audit must include a certification of the following three (3) factors:

  1. whether any network at a Wyndham-branded hotel (including franchisee hotels) where there are people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data is designated as an “untrusted network,” and if the network is not treated as untrusted, whether it is included within the scope of the audit or subject to a separate audit;
  2. the extent of Wyndham’s compliance with each element of a risk management protocol (consistent with PCI DSS); and
  3. that Wyndham’s assessment was conducted by a qualified, independent auditor, free from conflicts of interest.
For any subsequent Wyndham breaches involving 10,000 or more unique credit or debit cards, Wyndham will have to obtain a third party forensic investigation assessment and produce it to the FTC within 180 days following discovery of the breach. Wyndham will remain under order for 20 years, violation of which can subject Wyndham to civil penalties. We note that the settlement does not apply to Wyndham’s information security practices, generally. In fact, it is narrowly tailored to credit and debit card information (such as primary account number, cardholder name, expiration date, and/or service code.) More information on the settlement order and how it will affect Wyndham and its consumers can be found here.