On December 9, 2015, the Federal Trade Commission (the "FTC") and Wyndham Worldwide Corporation (and three additional Wyndham entities, collectively, "Wyndham") filed a stipulated order ("Stipulated Order") settling their long-running litigation regarding allegations that Wyndham's data security policies led to three data breaches resulting in the disclosure of the information of more than 619,000 consumers. As part of the settlement, Wyndham will establish a comprehensive information security program to protect customers' credit card data and undergo annual audits to ensure compliance with such program and the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures ("PCI DSS"). The settlement does not hold Wyndham liable for any violations or require it to pay any monetary damages.
The settlement comes after the United States Court of Appeals for the Third Circuit ruled in Federal Trade Commission v. Wyndham Worldwide Corporation that the FTC has the authority to regulate "unfair or deceptive acts or practices" relating to cybersecurity under 15 U.S.C. § 45(a) (the "FTC Act") and that defendant Wyndham had fair notice that its cybersecurity practices could be subject to scrutiny under the FTC Act. In a unanimous decision, the Court of Appeals upheld the April 2014 lower court ruling that the FTC could continue its suit seeking to hold Wyndham accountable for three breaches of its information technology systems in 2008 and 2009 and its cybersecurity practices at the time. The court also held that such enforcement action was within the FTC's authority under the FTC Act.
Throughout the proceedings, Wyndham challenged the FTC's authority to pursue these claims. Wyndham's main arguments were that (1) the plain meaning of "unfair" as used in the FTC Act requires the consideration of factors in addition to the three traditional factors of the customary 15 U.S.C § 45 analysis, (2) a business does not treat its customers in an unfair manner when the business itself is victimized by criminals, (3) recent congressional action is inconsistent with the idea that the FTC has such authority, and (4) even if the FTC has such authority, the FTC failed to give Wyndham fair notice of the specific cybersecurity standards it was required to follow.
In response to Wyndham's argument (1), the court was not persuaded that any additional factors were necessary and noted that the three factors have been largely the same for 35 years. In response to argument (2), the court rejected Wyndham's argument, noting that Wyndham did not cite any authority for this claim and the FTC has the express authority to bring unfairness claims on the basis of likely rather than actual injury. In response to argument (3), the court said it was not convinced by Wyndham's arguments and there was no indication that Congress intended to exclude such authority. In response to argument (4), the court found that "this case involves ordinary judicial interpretation of a civil statute" so "[t]he relevant question is whether Wyndham had fair notice of what the statute itself requires" – an argument Wyndham did not raise in its appeal.
Pursuant to the Stipulated Order, Wyndham is required to implement a comprehensive information security program that is "reasonably designed to protect the security, confidentiality and integrity" of its customers' cardholder data, as defined in the PCI DSS ("Cardholder Data"). The security program must include certain administrative, technical and physical safeguards listed in the Stipulated Order that are deemed appropriate for Wyndham's size and complexity, the nature and scope of Wyndham's activities and the sensitivity of the Cardholder Data. Wyndham is required to obtain annual security audits of such program to ensure compliance with the PCI DSS and a formal risk assessment process that will analyze the possible data security risks faced by Wyndham. If Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must obtain an assessment of the breach and provide such assessment to the FTC. If Wyndham obtains the foregoing audits, it shall be deemed in compliance with its comprehensive information security obligations. Wyndham's obligations to maintain a comprehensive security program and obtain annual audits shall remain in effect for 20 years. Within one year of filing the Stipulated Order, Wyndham shall submit to the FTC a compliance report describing the activities that Wyndham has taken to comply with the Stipulated Order and, during the 10 years after filing, shall submit a compliance notice upon any change in the structure of Wyndham or any entity that Wyndham has any ownership in or controls directly or indirectly that may affect compliance with the obligations arising under the Stipulated Order.
The Third Circuit's decision and the recent settlement have important implications for companies maintaining an online presence and those that collect consumer information. While some have challenged the scope of the FTC's authority to pursue privacy-related claims under the FTC Act, the decision and settlement are clear indications that the FTC will continue to be one of the lead government agencies on privacy and data protection matters. This will continue to be the case even though a specific privacy or data protection enforcement authority is not specified in the FTC Act. The terms of the settlement indicate that the FTC may be focused more on ensuring compliance with industry standards for data protection (with particular focus on credit card information) than obtaining monetary damages from companies that have suffered data breaches. The settlement provides some guidance about the FTC's expectations for reasonable security requirements, such as a dedicated employee to coordinate an information security program and periodic testing of implemented safeguards. The settlement shows that the FTC's analysis of whether data protection efforts are reasonable will include consideration of the company's size and complexity, the nature and scope of the company's activities and the sensitivity of the data that is collected by the company. Audits should be performed to (1) understand what data the company collects and industry standards for the protection of such data, and (2) ensure that the commitments made in the company's policies are actually being implemented. The author of a company's privacy and cybersecurity policies should have regular conversations with the company's technical personnel to avoid a potential disconnect between the company's policy commitments and its actual practices. Going forward, companies may now have an affirmative duty to monitor and more closely follow industry practices even if their policies do not contain such a commitment.