On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.

As we previously reported on June 26, 2012, the FTC announced that it filed suit against Wyndham and three of its subsidiaries, alleging that the company posted misleading representations on Wyndham websites regarding how the company safeguarded customer information. In addition, the FTC alleged that Wyndham unfairly failed to maintain reasonable data security practices, leading to three separate data breaches involving hackers accessing sensitive consumer data. In response, Wyndham challenged the FTC’s authority to bring charges against private companies’ data security, arguing that by adopting targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Congress had precluded the FTC’s jurisdiction over data security. Wyndham also argued that before bringing a Section 5 enforcement action, the FTC must publish “rules, regulations, or other guidelines” setting out the acceptable security standards.

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion which allowed the FTC to proceed with its case against the company. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices.

On August 24, 2015, the Third Circuit’s three-judge panel upheld the District Court’s ruling that the unfairness prong of Section 5 of the FTC Act does empower the FTC to bring lawsuits against private companies for insufficient data security practices, and that the FTC is not required to publish rules or regulations regarding what constitutes reasonable security standards.

The December 9, 2015 settlement requires Wyndham, for the next 20 years, to:

  • Establish, implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of cardholder data;
  • Annually obtain a written assessment and certification of Wyndham’s hotels’ PCI Data Security Standard (“PCI DSS”) compliance from a qualified and independent third-party professional. The assessor also must certify that Wyndham safeguards the network connections between its franchisee hotels and engages in a comprehensive risk assessment as laid out in the PCI DSS Risk Assessment Guidelines. If Wyndham obtains the assessment certifying that it is PCI DSS compliant, Wyndham will not be required to establish the comprehensive information security program mentioned above; and
  • Within 180 days following a cardholder data breach involving more than 10,000 unique payment card numbers, obtain a PCI Forensic Investigator Final Incident Report (or the equivalent of such report). The Report must be provided to the FTC within 10 days.