The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and Resorts with a safe harbor for liability for payment card breaches. Other companies should consider whether they should adopt practices that will allow them to argue that this safe harbor should apply to them too (or if their existing practices are already consistent with this safe harbor). Finally, this Consent Order is a victory for companies operating under the franchise business model because the FTC backed off from its position that Wyndham must guarantee the security of franchised operations. 

The FTC brought suit against Wyndham after Wyndham Hotels and Resorts properties were the victims of hacking incidents that resulted in a compromise of customer payment card data. The FTC’s complaint alleged that the data security practices in place at the affected hotels and at Wyndham itself were “unfair” and Wyndham’s privacy policy’s statements regarding those practices were “deceptive,” in violation of Section 5 of the FTC Act, 15 U.S.C. § 45. (The FTC effectively abandoned the deceptive claim because it is not referenced in the binding paragraphs of the Consent Order.) Last Spring, the Third Circuit entered an order in this proceeding affirming the FTC’s authority to bring “unfairness claims” based on a company’s alleged failure to establish adequate cybersecurity practices, but also setting a high bar for the FTC to prove such claims. We previously discussed the significant proof burdens imposed on the FTC by this decision n our blog here.

The Consent Order requires only Wyndham Hotels and Resorts – not Wyndham general and not any of the hotels affected by the hacking incidents – to adopt a comprehensive information security program. Moreover, the program covered by the Consent Order applies payment card information only, not all categories of personal information.

In agreeing to the entry this Consent Order, the FTC made a significant departure from its past practices by expressly identifying in the binding paragraphs of the Consent Order the necessary elements of a comprehensive security program. Specifically, Wyndham can satisfy its obligations under the Consent Order with a security program that contains the following elements:

  • Designation of an individual or individuals responsible for the security program;
  • Identification of risks through risk assessments;
  • Design and implementation of reasonable safeguards to control the risks identified through risk assessments;
  • Establishment of reasonable procedures to select and maintain service providers; and
  • Adjustment of the information security program where appropriate due to risks and monitoring required or through material changes to operations.

This listing is a summary; these requirements are spelled out in greater detail in the binding paragraphs of the Consent Order.

Companies subject to FTC jurisdiction should consider how their current data security programs line up against these requirements.

Most important, the Consent Order provides that by obtaining certain certifications related to Payment Card Industry (“PCI”) compliance, Wyndham Hotels and Resorts can satisfy its reporting requirement under the Consent Order and show its compliance with the Consent Order. This certification procedure effectively establishes a safe harbor through which Wyndham Hotels and Resorts can show its compliance with the Consent Order. Other companies under the jurisdiction of the FTC should consider whether their existing procedures for establishing PCI compliance are consistent with the certification procedures set forth in the Consent Order.

Finally, the Consent Order does not require Wyndham to be responsible for data security practices at any franchised hotel. This is a significant point as the FTC in the litigation advocated making Wyndham responsible for the data security practices at franchised sites. Wyndham argued against having such responsibility, because it would have turned the franchise business model upside down, in terms of eroding long-established parameters concerning the level of control typically maintained by franchisors over franchisees. The Consent Order maintains these established parameters because it does not require Wyndham to guarantee the data security practices at independently owned and operated hotel locations.

The battle between the FTC and Wyndham was long and hard fought. Ultimately, industry won because the Consent Order sets forth a clear framework for companies to minimize their regulatory risk going forward.