After a series of cyber-attacks in 2008 and 2009 which caused customers of Wyndham Worldwide Hotels to have their credit card details and personal information unlawfully obtained and in some cases to then receive ransom demands, complaints were made to the company which delayed in responding to them and ultimately the matter was passed to the Federal Trade Commission (FTC).

When the FTC investigated Wyndham they found that amongst other things the company had insufficient information security practices and procedures in place to prevent cyber-attacks, and in addition their privacy policy made claims about their level of cyber security which were a misrepresentation and deceptive.

The FTC held Wyndham Worldwide liable for failing to implement “reasonable protections”.

Wyndham brought proceedings in the Courts against the FTC claiming that they had no authority to adjudicate on the level of cyber security that Wyndham had or had not in place.

In the Third Circuit decision on 24th August 2015 the Federal Court reaffirmed the power of the FTC to enforce against Wyndham claiming that Wyndham had committed “unfair or deceptive acts or practices by failing to implement adequate cyber security”. Furthermore the deception was in part as a result of the publically available privacy policy that stated that suitable security was in place, when clearly it was not.

Edith Ramirez, the FTC Chairperson recently stated that the decision of the Federal Court “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data.”

The Wyndham case is the subject of much discussion amongst privacy lawyers around the world but particularly in the US and the general conclusion is that companies must be considerably more robust in the way in which they implement cyber security organisational and technical measures and further that a privacy policy must be an accurate reflection of the policies and procedures in place.

Data security is now a default and not an option!