In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010. (Stipulation of Settlement available here.)  After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.  Wyndham moved to dismiss the FTC’s complaint, arguing that the FTC did not have the authority to police data security under Section 5 and that it had not promulgated clear data security guidelines to provide organizations with fair notice of the Commission’s expectations.

The district court denied Wyndham’s motion to dismiss, but granted Wyndham the right to immediately appeal its ruling.  The Third Circuit affirmed the district court on both issues.

Wyndham’s settlement last week was the latest and most surprising development in this long running saga.  The settlement requires Wyndham to submit to information security audits for 20 years.  The audits must be conducted by a third party data security auditor.  As part of the audit, Wyndham must: (1) certify the “untrusted status” of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches; (2) certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and (3) certify that the auditor is qualified, independent, and free from conflicts of interest.

What lessons should companies and their counsel draw from Wyndham’s settlement?

  • Companies that collect and store consumer information must continue to navigate a data security environment without precise statutory guidance as to what constitutes “reasonable” data protection standards.  However, companies would be well advised to review the FTC’s June 2015 publication, entitled “Start with Security: A Guide for Business”, available here.
  • The FTC will charge all companies with knowledge of its various reports, announcements and consent decrees concerning data security.
  • In some respects, these components comprise a dynamic and evolving “common law” of data security from the FTC.
  • In the absence of new data security legislation, and as it has for more than a decade, the FTC will continue to use Section 5 to develop, on a case-by-case basis, this common law of data security.
  • At least in the Third Circuit, the FTC has clear authority to enforce data security practices under Section 5’s unfairness prong.

Finally, it is vitally important that companies and their counsel remain abreast of the FTC’s views on data security as announced through each successive publication, statement and consent decree.  Although the FTC now relies on Section 5 to regulate data security, it has supported various legislative proposals that would expand its legal authority to regulate data security beyond what is covered by Section 5.