Following the Third Circuit’s ruling upholding the FTC’s authority to regulate unfair and deceptive cybersecurity practices under Section 5 of the FTC Act, Wyndham Worldwide Corporation and the FTC have agreed to settle. This marks the end to a hotly-contested and closely-watched case at the cross-roads of data security and regulatory enforcement.
As reported in our previous posts on this topic, Wyndham experienced three breaches of its systems in 2008 and 2009 resulting in the exposure of approximately 619,000 consumers’ credit card numbers. The FTC initiated an enforcement action in 2012 alleging that Wyndham engaged in unfair and deceptive cybersecurity practices in violation of Section 5 of the FTC Act. The FTC asserted that Wyndham’s cybersecurity practices were deficient in myriad ways that placed consumer data at risk of theft, for example, by storing payment card information in clear text, using weak and default passwords across networks, failing to install or misconfiguring firewalls, failing to adequately restrict vendor access to corporate networks, and failing to follow appropriate incident response procedures after successive cyberattacks.
Wyndham challenged the FTC’s authority to regulate cybersecurity. Claiming that the FTC had not articulated the specific cybersecurity practices required under Section 5, Wyndham argued it had inadequate notice that its cybersecurity practices could subject it to regulatory enforcement.
The Third Circuit rejected Wyndham’s arguments, finding that the company was not entitled to “ascertainable certainty” of the FTC’s interpretation of reasonable cybersecurity standards and noting that the FTC’s guides, reports, and previous case law and consent decrees provide fair notice to businesses as to the type of security practices that may or may not be adequate to protect consumer data, thus affirming the FTC’s use of Section 5 to regulate cybersecurity practices. A more thorough examination of the Third Circuit’s decision can be found here and here.
Under the terms of the proposed settlement agreement—with which Wyndham must comply for 20 years—Wyndham must implement a comprehensive, written information security program that includes the following measures:
- Conducting an assessment to identify risks to the security of credit card information;
- Implementing procedures to mitigate the risks identified in the risk assessment;
- Developing a procedure to vet vendors’ cybersecurity practices; and
- Designing a plan to retool the information security program as necessary to ensure ongoing security of credit card information.
- Submitting to annual third-party assessments to verify compliance with the Payment Card Industry Data Security Standards (PCI-DSS)
Additionally, if Wyndham’s systems are compromised in another breach affecting more than 10,000 payment card numbers, Wyndham must obtain a PCI DSS risk assessment within 180 days of discovering the breach. Each report must be provided to the FTC within 10 days after Wyndham receives it.
While this settlement focused a great deal on compliance with the PCI DSS standards, the FTC has made clear that companies cannot rely on PCI compliance alone to secure consumer data. The FTC addressed the Wyndham consent decree in its public statements made relating to its $100 million settlement with LifeLock, Inc., which was announced one week after Wyndham. Justifying its finding of data security lapses at LifeLock despite LifeLock having provided annual certifications of compliance with PCI DSS, the FTC noted, “Certifications alone will not suffice [to meet the obligations of providing adequate security safeguards], if we find evidence of security failures that put consumer information at risk. The injunctive relief we obtained in the Wyndham case corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections…[T]he existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.”
The Third Circuit’s decision and the subsequent settlement between Wyndham and the FTC should put to rest any doubts regarding the FTC’s authority—and more importantly, resolve—to regulate cybersecurity practices. Having prevailed before the Third Circuit, the FTC will undoubtedly continue to flex its cybersecurity muscles. In many ways, the Wyndham saga reinforces what many practitioners have been advising their clients for some time: there is a baseline of minimum cybersecurity practices that are reflected in industry guidelines and agency consent decrees that serve as a roadmap for staying out of regulatory crosshairs. A robust cybersecurity and risk mitigation program therefore requires periodic review and iteration to stay up to date not only with the latest security software, but also the latest regulatory reports and tools that can allow companies to map their policies and practices—and hopefully, fall outside the FTC’s watchful gaze.