The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court. The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices. Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.
The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards. The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).
Those provisions include Wyndham agreeing to undertake the following:
- Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
- Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
- Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
- Provide all assessments to FTC;
- Keep records relied on to prepare each annual assessment for three years; and
- Submit to compliance monitoring by the FTC.
Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.