Yesterday the Federal Trade Commision (FTC) announced that it reached a settlement agreement with Wyndham Worldwide Corporation regarding alleged deficiencies in the company’s data security practices. The settlement marks a conclusion to litigation initiated by the FTC in 2012 and follows an August 2015 decision by the US Court of Appeals for the Third Circuit to allow the FTC to continue to pursue its case against Wyndham under Section 5 of the FTC Act.
In 2010, the FTC launched an investigation into three breaches of Wyndham’s information systems involving the unauthorized access and subsequent transfer of the unencrypted personal and payment card information of 619,000 Wyndham customers. The breaches resulted in millions of dollars in fraudulent charges to the accounts of affected customers. At the conclusion of its investigation, the FTC filed a lawsuit against Wyndham on the grounds that the company’s failure to take reasonable measures to secure the sensitive personal information of its customers amounted to an “unfair act or practice” in violation of Section 5 of the FTC Act. In response, Wyndham moved to dismiss the FTC’s action in part on the basis that the FTC Act does not authorize the FTC to regulate cybersecurity. After Wyndham’s motion was dismissed by a federal trial court, the company appealed to the Third Circuit.
The Third Circuit upheld the FTC’s authority to regulate companies’ data security practices, asserting that congressional actions subsequent to the enactment of the FTC Act were not meant to exclude cybersecurity from the ambit of practices protected under the Act and that Wyndham had fair notice that its failure to maintain reasonable and appropriate data security measures for the protection of its customers’ personal information could constitute a violation of the FTC Act.
With the FTC’s authority to regulate data security practices established, at least in this case, the path was cleared for settlement in the Wyndham case. The proposed order requires Wyndham to: (i) develop a comprehensive information security program that is reasonably designed to protect the security, integrity, and confidentiality of cardholder data; and (ii) obtain an independent annual assessment under the Payment Card Industry Data Security Standard (“PCI DSS”) certifying that the company safeguards connections within its hotels and engages in comprehensive risk management under the PCI DSS guidelines.
As we’ve noted previously, the Wyndham saga highlights for a variety of companies the importance of designing, maintaining, and independently testing data security systems and practices to ensure the secure collection, storage, and transfer of sensitive consumer information. In addition, this case serves as a reminder for companies carefully to review representations made to customers regarding data security through privacy notices, contracts, and other consumer-facing materials to verify their accuracy. Although the Third Circuit’s opinion upheld the FTC’s authority, with this settlement, a court has yet to adjudicate whether Wyndham’s, or any other company’s, data security practices were “unfair” under the FTC Act. Companies and their advisors are still left with trying to interpret the appropriate standard from FTC consent agreements and informal guidance.