A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry.

In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security failures that led to three data breaches at 45 Wyndham properties in less than two years. The action followed an expansive and expensive civil investigation by the Commission and is part of its ongoing efforts to ensure companies are working to secure and protect consumer data and privacy.

The FTC alleges that "Wyndham's privacy policy misrepresented the security measures that the company and its su"bsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury." The agency charged that the security practices were unfair and deceptive and violated the FTC Act. The failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia.

The case presents an excellent opportunity for companies handling financial or other sensitive data to evaluate risks and trends in the data security area, including:

  • Data breach risks specific to the hospitality industry
  • Enforcement and litigation risks and developments
  • Breach response steps Incident response planning
  • Trends and developments, including global notification obligations, foreign sovereign espionage, and SEC reporting.