Wyndham Hotel Data Breach Order: 20 Years, PCI Standards and Franchise Oversight

In its widely followed Wyndham Hotels case, the FTC entered into a settlement agreement which will be in effect for 20 years and, among other things requires use of the Payment Card Industry Data Security Standard (“PCI DSS”) security standards for credit and debit card transactions, annual reporting to the FTC of third party audits of Wyndham’s compliance with the FTC approved standards, and imposes special obligations on franchisors and franchisees. While the settlement is by its terms applicable only to Wyndham, it is quite instructive for companies seeking to avoid entanglements.

Privacy Issues Becoming a Class Action

A recent federal appellate case involving Google underscores the need for companies to be truthful and open about their practices involving use of customer browsing and related data. Pending potential US Supreme Court appeal, the plaintiffs are allowed to maintain a class action lawsuit against Google as a result of its alleged undisclosed overriding of user “cookie blockers” to access internet history information, which was presumably used by Google and its advertisers to target web advertising in violation of California privacy laws.

A class action is quite risky for defendants in terms of potential damages and is usually settled on costly terms in view of such exposure. This is one of the few cases in which such status has been obtained as a result of allegedly inappropriate practices in the security or privacy areas. If the case is a precursor to similar treatment in the area by other courts, this raises the already high stakes associated with practice and disclosure in the area.

Making the case even more noteworthy is the fact that it did not involve any fraudulent activity resulting in economic loss to anyone. This illustrates the important distinction between security and privacy and the importance of ensuring proper practices in both areas. Rapidly changing state laws and FTC policies regarding tracking of internet browsing and mobile app location data make it essential to work closely with counsel to facilitate compliance.

A complaint very recently filed with the FTC against Google involving its Google Apps for Education service also illustrates the exposure. Even though no one suffered any financial loss, the complaint alleges that Google failed to adhere to its pledge to use data collected through such apps only for educational purposes. There is substantial and increasing scrutiny on companies’ privacy practices, which must be addressed separately and to the same extent as information security.

EU-US Data Transfers Absent a Safe Harbor

As to the latter, as has been widely reported by us and elsewhere, the Safe Harbor framework for certain data transfers (of personal information) between the EU and US was struck down in October by the EU Court of Justice. On January 31, 2016 the “grace period” for data flows from Europe to the US previously permissible under the Safe Harbor framework comes to a close. At such time, data practices may come under scrutiny, and many companies are at risk of enforcement actions by the various EU Data Protection authorities. As has been discussed, potential alternatives to the Safe Harbor (for large-scale and regular data transfers) include Standard Contract Clauses and Binding Corporate Rules prescribed by the EU, but some authorities in Europe have questioned these alternatives as well.

We are monitoring developments about a new Safe Harbor agreement that has been in the works since Edward Snowden’s revelations in 2014. The European Union Commissioner for Justice met with US officials last month to discuss cross-border data transfers and to continue negotiations of a new Safe Harbor agreement. There are some officials who believe that the new Safe Harbor framework could be in place by the expiration of the January 31, 2016, grace period. We cannot recommend a “wait and see” approach. Rather, we will closely monitor developments, and in the meantime encourage continued efforts toward permissible data flow mechanisms under the current framework and welcome discussions with you toward that end. In the same vein, in addition to use of prescribed contract clauses in major agreements, we suggest consideration of relocation of servers and/or processing of the most sensitive data to the EU. Our Privacy and Data Security lawyers are pleased to assist you in developing and implementing privacy and data security practices and policies and with your contract negotiations.