On December 9, 2015, Wyndham Worldwide Corporation agreed to settle a suit filed by the Federal Trade Commissions (“FTC”), alleging the hotel chain engaged in unfair and deceptive practices by holding itself out as maintaining proper security measures for its customer data but failing to live up to those expectations (for more discussions of the allegations, click here). Although Wyndham initially challenged the FTC’s authority to regulate such measures, the U.S. Court of Appeals for the Third Circuit rejected Wyndham’s claims (click here for coverage of the Third Circuit’s decision). The settlement was the end result of Wyndham’s allegedly faulty cybersecurity measures which led to a data breach involving more than 600,000 consumers and $10.6 million in fraudulent charges between 2008 and 2010. While Wyndham did not admit liability or pay any monetary penalty, the terms of the settlement provide insight into the FTC’s view of what constitutes reasonable security measures.
Key Takeaways from the Settlement
The settlement requires Wyndham to “establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data.” According to the FTC, the elements of such a security program are as follows:
- Designation of a dedicated employee or a team of employees to coordinate a business’s information security program;
- Identification and assessment of a business’s internal and external security risks, including but not limited to an assessment of the business’s information systems, cybersecurity prevention plan, data breach or system failure response plan, employee training and management, and other business-related risks;
- Implementation, and evaluation of “reasonable safeguards to control the risks identified through risk assessment, which includes the regular testing or monitoring of the effectiveness of a business’s key information controls, systems, and procedures;
- Development and use of “reasonable steps to select and retain service providers capable of appropriately safeguarding cardholder data,” which requires a business to engage any service providers by contract to implement and maintain their own appropriate safeguards; and
- Evaluation and adjustment of a business’s security program in light of any testing and monitoring results which a business knows or reasonably should know will have a material impact on the effectiveness of its information security program.
The settlement requires the content of this program to be detailed in writing. In addition, the settlement requires that Wyndham furnish annually the FTC with a written assessment of the company’s compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). In addition to the assessment, Wyndham is required to certify that each of its branded hotels’ networks is included in the assessment or has otherwise in the past 12 months been fully tested and validated as compliant with the plan. Wyndham must also certify that any assessment was conducted by a qualified, objective third party, and that any professional performing the assessment must be from a qualified organization. Should Wyndham fail any such assessment, the settlement provides that Wyndham shall have 60 days to re-certify its compliance. Wyndham is required to perform these annual certification measures for 20 years, until 2036.
FTC Security Investigations—A Growing Force
The Wyndham settlement underscores the FTC’s authority to enforce data privacy standards among companies. It is not afraid to aggressively use such power. On December 21, 2015, the FTC settled a similar action with software company Oracle. Like the Wyndham suit, the FTC alleged that the software company released several new versions of its popular Java SE software that, when installed, gave written assurances that Java provided safe and secure access to its content. The FTC alleged that in fact, Oracle was aware of at least 44 types of malware known to capture a user’s passwords, but failed to inform Oracle users that its install process left older versions of Java SE software on a user’s computer, thereby rendering the computers more vulnerable to a malware attack. Given the security lapses, the FTC charged that advertising the product as “safe and secure” was deceptive. Similar to the Wyndham settlement, the Oracle settlement required notices to customers, additional security measures and changes to Oracle’s advertisements.
Businesses should ensure the accuracy of its representations when drafting, updating, and maintaining cybersecurity, privacy and data protection materials as the legal landscape is constantly evolving. Failure to meet these new guidelines could result in costly compliance with regulatory oversight by the FTC.