The FTC entered into a Consent Order last week with Wyndham Hotels and Resorts resolving the FTC’s allegations that Wyndham did not do enough to prevent its customer’s credit card data from three data breaches that occurred in 2008 and 2009. The Consent Order comes on the heels of the Third Circuit’s opinion in the case in which the court held that the FTC has authority to hold companies accountable for failing to safeguard consumer data. See Federal Trade Commission v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015).
Specifically, the Complaint alleges that:
- Wyndham allowed its hotels to store payment card information in clear readable text;
- Wyndham allowed the use of easily guessed passwords to access the property management systems;
- Wyndham failed to use readily available security measures such as firewalls to limit access between the hotels’ property management systems, corporate network and the internet;
- Wyndham did not insure that its hotels implemented adequate information security policies and procedures;
- Wyndham failed to adequately restrict access of third party vendors to its network and servers;
- Wyndham failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations;
- Wyndham did not follow proper incident response procedures. Wyndham did not monitor its network for malware used in the prior intrusions. As a result, the hackers in each of the three breaches used similar methods to gain access to credit card information.
Specifically, the FTC’s complaint alleges that on three separate occasions in 2008 and 2009 hackers gained access to Wyndham’s network and property management systems and obtained unencrypted information for over 619,000 consumers. The complaint alleges that Wyndham participated in deceptive and unfair acts or practices related to their data security because it was not proactive in its response after the first data breach specifically by not addressing the weaknesses of its system that led to the initial attack. As a result, hackers were able to successfully use similar methods in each of the two subsequent attacks. The Consent Order, which will remain in effect for twenty years, requires Wyndham, among other things:
- To establish and implement a comprehensive written information security program that is reasonably designed to protect the security, confidentiality, and integrity of its customer’s credit card data;
- To annually obtain written assessments of its compliance with certain agreed upon data security standards; and
- To maintain records of its efforts, including audits, policies, and assessments which may be accessed by the FTC upon request.
Businesses which store nonpublic personal information should take note of the FTC Consent Order and take the following lessons to heart:
- Businesses must develop a Written Information Security Program (“WISP”) which identifies reasonably foreseeable internal and external risks to the security and confidentiality of customer information that could lead to the unauthorized disclosures of personal private information;
- Businesses must continually assess the sufficiency of the institution’s safeguards and operational risks including detecting, preventing and responding to attacks against the institution’s systems;
- Businesses must evaluate and adjust the WISP in light of relevant circumstances and changes in the company’s environment, business offerings and operations, as well as the results of security testing and monitoring and any cybersecurity breaches which may occur;
- The FTC has established through the Wyndham litigation that it has authority to bring claims against businesses for cybersecurity intrusions under Section 5 of the FTC Act’s unfair and deceptive umbrella;
- Businesses are on notice of the FTC’s interpretation of what cybersecurity practices are required by Section 5 of the FTC Act; and
- Businesses should carefully monitor FTC Consent Orders regarding data breaches and use those consent orders to better model their practices.
Additionally, businesses which store nonpublic personal information should familiarize themselves with state statutes which govern cybersecurity attacks in the event one occurs. The majority of states have adopted state breach statutes setting forth the notice requirements to consumers, credit reporting agencies and law enforcement in the event a breach occurs.