On December 9, 2015, Wyndham Worldwide Corporation, and related companies (collectively, “Wyndham”), reached a settlement with the US Federal Trade Commission (FTC) to resolve claims arising from three data breaches that the hotel chain suffered over several years. Wyndham did not admit to the FTC’s allegations of deceptive and unfair practices, but agreed to meet a variety of data security and reporting requirements during the 20-year term of the consent order. Approved by the district court two days later, the consent order provides significant guidance regarding the FTC’s views on appropriate cybersecurity measures for companies that handle payment card information, including those built around a franchise model.
In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham’s corporate computer systems and stole credit card numbers. The FTC brought an enforcement action in federal court in New Jersey asserting (among other things) that Wyndham’s allegedly inadequate cybersecurity was “unfair” in violation of Section 5 of the FTC Act. Wyndham moved to dismiss on various grounds, including that the FTC lacked authority to bring enforcement actions alleging that cybersecurity practices were unfair to consumers. The district court rejected that argument, however, and the US Court of Appeals for the Third Circuit affirmed on August 24, 2015, setting the stage for the parties’ settlement.
Under the terms of the consent order, Wyndham agreed to establish, implement, and maintain “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects or receives in the United States from or about consumers.” The content and implementation of this program must be “fully documented in writing” and shall consist of enumerated “administrative, technical, and physical safeguards appropriate to [Wyndham’s] size and complexity, the nature and scope of [its] activities, and the sensitivity of the Cardholder Data at issue.” These safeguards include: designation of a coordinator for the information security program; the identification of material risks to cardholder data; an assessment of safeguards to control those risks (and implementation of further reasonable safeguards as necessary); and the use of reasonable steps to select and retain service providers, including contracts to require those service providers to implement and maintain appropriate safeguards for cardholder data.
Such provisions, including the 20-year term, are common features in consent decrees settling FTC investigations. The Wyndham settlement contains several additional features of interest to companies handling payment card information. In particular, Wyndham agreed to obtain an annual written assessment certifying its compliance with the Payment Card Industry Data Security Standard (PCI DSS) or another comparable standard selected by Wyndham and approved by the FTC. In addition:
- The designated assessor must certify, as to each Wyndham-branded hotel (defined to include independently-owned hotels that are operated in the United States pursuant to a management or franchise agreement), that the hotel has been assessed as PCI DSS compliant or that the network of that hotel is treated as an “untrusted network” within the meaning of the PCI DSS (i.e., that it is firewalled from the Wyndham network and various other safeguards are in place);
- The assessor reviewing Wyndham’s compliance must be an “objective, independent third-party professional” with expert technical qualifications;
- Wyndham must obtain a separate assessment if it suffers a breach that involves more than 10,000 unique payment card numbers; and
- A qualified assessor must certify that any “significant change” in Wyndham’s security practices does not cause it to “fall out of compliance” with the approved standard.
The consent order also subjects Wyndham to various reporting, recordkeeping, and monitoring requirements.