An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.)

Some of the key points covered in the discussion include:

  • While attackers can be persistent and use sophisticated tools, most breaches result from the failure to implement basic or intermediate security controls across a network, or across a linked network of affiliated entities.
  • These failures present a hook for intrusive and expensive inquiries by the FTC into potential “unfair or deceptive acts or practices,” particularly where internal controls do not match standard privacy policy assurances or disclosures addressing security.
  • To mitigate financial and reputational harms arising from security incidents, data security frameworks must be risk-based and reflect a comprehensive, cross-functional approach to information security management that is not only enterprise-wide, but also includes integration with and closer supervision of affiliated parties.

In addition to the presentation, relevant background materials from the FTC include a petition by Wyndham to quash the FTC's Civil Investigative Demand in the proceeding; related exhibits (1 to 8 and 9-16), including a proposed consent order; the Commission's response to the petition, Wyndham's request for review by the full Commission; and the FTC's complaint as filed.