Wyndham Worldwide Corp. has agreed to a settlement with the Federal Trade Commission over charges stemming from the hotel chain's three security breaches in 2008 and 2009 that exposed 619,000 payment cards and other personal information (see FTC Sues Hotel Chain for Card Breaches).
See Also: 9 Steps to Build a Better Insider Threat Program
No financial penalty is mentioned in the settlement. The agreement requires Wyndham to maintain a comprehensive security program designed to protect cardholder data and conduct annual security audits to ensure it maintains compliance with PCI Data Security Standard, according to a Dec. 9 FTC statement.
If Wyndham suffers another data breach that affects more than 10,000 payment cards, it is required to have an assessment of the breach conducted and provide it to the FTC within 10 days. The company's obligations under the settlement extend 20 years.
In a statement about the settlement, Wyndham says: "We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC's position could have had a negative impact on the franchise business model. This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information."
Privacy attorney Ron Raether says the settlement's focus on ensuring only the security of card data, and not all personally identifiable information, shows that Wyndham had some negotiating power.
"Wyndham is already required to comply with PCI, so this doesn't create additional hardship for the company," Raether says. "But the FTC could come back with significant fines if they don't comply. And if there are significant changes in practice between assessments, Wyndham must conduct more frequent audits, according to the order. That will require Wyndham to be thoughtful about changes it makes in between assessment dates."
Cybersecurity attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says Wyndham had no choice but to settle. "After being unsuccessful in the legal case challenging the FTC's authority, Wyndham was left with only one option - settlement," he says. "This settlement once again demonstrates the clear authority of the FTC to use its powers under 'unfair or deceptive acts and practices' to hold companies accountable for cybersecurity breaches."
Court Rulings in Case
Wyndham had challenged the FTC's authority to enforce data security, but in April 2014, a federal court denied Wyndham's motion to dismiss the commission's breach-related lawsuit against it. In August 2015, an appellate court panel upheld the lower court's ruling and affirmed the FTC's authority to play a key role in cybersecurity regulation as it relates to the protection of consumer data (see Court Affirms FTC Authority on Cybersecurity Issues).
In June 2012, the FTC sued Wyndham, claiming that the hotel chain violated the FTC Act's unfair business practice provisions when it took inadequate security measures to protect consumer data. The FTC charged Wyndham failed to sufficiently address its security gaps after the first breach occurred in April 2008, which resulted in two more breaches aimed at stealing payment card data (see timeline of the FTC's case against Wyndham).
The FTC charged that Wyndham failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect unauthorized access and failed to follow proper incident response procedures.
"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," FTC Chairwoman Edith Ramirez says. "Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area."
LabMD Case Continues
Another FTC case involving data security is still pending.
Like Wyndham, LabMD has been embroiled in a dispute with the FTC over the regulator's proposed enforcement actions tied to data breaches. The FTC filed a complaint against the medical testing company in August 2013 stemming from breaches in 2008 and 2012.
An FTC chief administrative law judge on Nov. 13 issued an initial ruling to dismiss the FTC's data security enforcement case against LabMD. In his ruling, the judge said the FTC failed to prove its case that two data security-related incidents involving LabMD caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices. But the FTC Consumer Protection Bureau has filed a notice to appeal the FTC administrative law judge's decision, and the matter will be decided by the FTC's commissioners (see FTC to Appeal Ruling That Dismissed LabMD Case).