In a significant development, Wyndham Hotels and Resorts reached a deal with the Federal Trade Commission in the high-profile litigation that began with allegations that the hotel chain breached its privacy promises to customers and expanded into a frontal challenge to the Commission's authority to regulate data security.
The dispute arose when the agency filed suit asserting that Wyndham violated Section 5 of the Federal Trade Commission Act by misrepresenting the strength of its data security protection, as demonstrated by three cyberattacks between 2008 and 2010 that led to over $10.6 million in fraudulent charges. Wyndham fired back with a direct challenge to the FTC's authority to make an unfair practices claim in the data security context.
A federal court judge sided with the agency by declining to "carve out a data security exception" to the FTC's authority. Wyndham appealed, arguing that the Commission lacked authority to regulate cybersecurity under the unfairness prong of the FTC Act and that the company did not have fair notice that its specific cybersecurity practices could fall short of that provision.
In September, the Third Circuit Court of Appeals affirmed the district court. To end the closely watched legal battle, the parties announced a settlement agreement in December.
Pursuant to the deal, Wyndham will establish a comprehensive information security program to protect cardholder data, such as payment card numbers, names, and expiration dates.
The program's annual information security audits (conducted by a qualified, independent auditor) of its information security program must include a certification that it conforms to the Payment Card Industry Data Security Standard, that it contains a formal risk assessment process to analyze possible data security risks, and that it ensures the "untrusted" status of franchisee networks (a preventative measure to avoid a data breach using the same method from prior breaches). If the audit demonstrates compliance, then the security program will be deemed satisfactory.
Obligations under the settlement will be in place for 20 years. In the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, the company agreed to obtain an assessment of the breach and provide it to the FTC within 10 days.
To read the stipulated order in FTC v. Wyndham Worldwide Corporation, click here.
Why it matters: "This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," FTC Chairwoman Edith Ramirez said in a statement. "Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area." In a statement of its own, Wyndham said it was pleased with the settlement, particularly as the hotel chain was not held liable for any violations or required to pay any monetary relief. The groundbreaking case provides many lessons for companies: that the FTC has authority to bring enforcement actions relating to data breaches, that data security practices can be deceptive or unfair trade practices, and that the terms of the settlement agreement imply that compliance with PCI standards will satisfy the agency in the event of a data breach.