On December 9, Wyndham Hotels and Resorts (“Wyndham”) agreed to a landmark settlement with the Federal Trade Commission (“FTC”) stemming from the FTC’s lawsuit against it after three data breaches that occurred between 2008 and 2010. The settlement is the first of its kind, and will provide companies with guidelines and standards as to what the FTC considers sufficient practices for corporate data protection.
The FTC filed its lawsuit after hackers stole more than 619,000 credit- and debit-card numbers from Wyndham. The FTC alleged that Wyndham failed to maintain reasonable data security practices because it used outdated software that failed to receive security updates, which left consumer data unprotected. Wyndham denied these allegations, and accused the FTC of penalizing the victim of the hacking instead of the actual hacker culprits.
In April 2014, the U.S. District Court for the District of New Jersey denied Wyndham’s motion to dismiss, and held that the FTC could pursue claims for unfair data security practices. In August 2015, the Third Circuit affirmed the District Court’s ruling that Section 5 of the FTC Act empowers the FTC to bring lawsuits against private companies for insufficient data security practices.
This settlement ends the mystery of what might happen if the case were litigated, but provides a framework for other companies confronted with similar situations. Under the settlement, Wyndham is obligated to implement and maintain a comprehensive information security program designed to protect card-holder data; obtain annual written assessments and certifications of Wyndham’s Payment Card Industry Data Security Standard compliance from a qualified and independent third-party professional; ensure that the networks of its franchisees are properly protected; and the Wyndham audit would need to certify the “untrusted” status of franchisee networks, to avert future hackers from deploying similar method used in previous breaches.
The settlement does not impose a monetary penalty and does not hold Wyndham liable for any violations. What does this mean going forward? Perhaps this shows the FTC is focusing on ensuring better data security practices over penalizing companies that have been breached. Or perhaps Wyndham was treated more leniently because the breaches occurred before the proliferation of data breaches. Regardless, this settlement will provide a good benchmark for any company that sees itself in litigation with the FTC over data security.