Notably, the FTC's Complaint targets the Defendants, rather than the independently-owned franchisee locations where several of the breaches occurred, on the premise that the Defendants "controlled the acts and practices" at issue at each franchisee location. According to the Complaint:
- The Defendants maintained direct control over each franchisee's information technology and data security function and required each franchisee to purchase and configure to Defendants' specifications a property management computer system used to manage reservations, room inventory, and process hotel guests' payment card transactions;
- The Defendants established all rules and password requirements that allowed franchisee employees to access the hotel IT systems; and
- The Defendants hired employees to administer the franchisee hotels' computer networks, and provided technical support to resolve any issues with each franchisee's property management system.
In exchange for the Defendants' IT services and the connection to the Defendants' computer network, the franchisees paid a fee to the Defendants.
Specific data security flaws alleged by the FTC include as follows:
- Failing to employ firewalls to limit access between and among the franchisees, the Wyndham data network, and the Internet;
- Failing to ensure that franchisees implemented adequate security procedures before connecting to the Wyndham network;
- Allowing franchisees to connect non-secure servers (including servers that could not receive security updates or patches) to the Wyndham network;
- Failing to require franchisees to employ complex passwords that hackers could not easily guess; and
- Failing to remedy known security vulnerabilities on franchisee servers that were connected to Defendants' computer network.
The FTC claims that the lack of sufficient data security protections allowed hackers to access the Wyndham data center on three separate occasions between April 2008 and January 2010. In the first instance, the Commission claims that hackers gained unauthorized access to anArizonafranchisee's local computer network that was connected to the Defendants' computer network. The hackers were then able to guess the user ID and password of an administrator account, giving them unrestricted access to the property management systems at other franchisee locations. The Complaint states that, during the course of the three breaches, the hackers obtained payment card account numbers, expiration dates, and security codes for more than 619,000 customers, and then exported a large portion of the account information to a domain registered in Russia. According to the FTC, the breaches resulted in more than $10.6 million in fraudulent charges to the compromised customer accounts.
The FTC's Complaint is significant for two reasons. One, it represents the first time that the FTC will litigate its theory as to whether an entity's privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act1 (past FTC cases have resulted in pre-litigation settlements or informal closings of investigations). Two, the lawsuit reflects the FTC's position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.