Wyndham’s settlement with FTC: What it means for businesses and consumers

Data security observers read with interest a U.S. Court of Appeals decision earlier this year Federal Trade Commission v. Wyndham, asserting the FTC’s authority to challenge allegedly lax data security practices under unfair provisions of the FTC Act. We believe this ruling is a landmark victory for consumers and companies of all sizes committed to protecting the security of their customers’ personal information. Now there’s another major development in the Federal Trade Commission’s (FTC) enforcement action against Wyndham, and you’ll want to be one of the first to know.

To recap, the Federal Trade Commission (FTC) sued Wyndham and three of its subsidiaries in 2012, alleging data security failures led to three breaches in less than two years. According to the complaint, hackers infiltrated the network of one Wyndham franchisee and then exploited a Wyndham corporate cybersecurity vulnerability to obtain sensitive consumer data from dozens of other Wyndham franchisees. The breaches resulted in hundreds of thousands of consumer account details being transferred to websites registered in Russia and resulted in millions of dollars in fraudulent charges being charged to consumers’ credit and debit cards. The district court ruled that the FTC had authority to challenge Wyndham’s conduct under the FTC Act. The Third Circuit immediately heard an appeal on this legal issue and ruled in favor of the FTC.

Today, the FTC and Wyndham announced a proposed settlement in this case. You’ll need to read the order for details, but please review these notes.

Under the first part of the proposed order, companies must establish comprehensive information security programs to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits each year for the next 20 years.

In addition, the order requires Wyndham to specifically consider risks arising from network connections between Wyndham-branded hotels and corporate data centers. The FTC considers this an important provision because the violations alleged in the complaint stem from weaknesses in these connections.

The second part of the order requires Wyndham to conduct an annual independent assessment based on the Payment Card Industry Data Security Standard, known to most businesses as PCI DSS, which is the industry standard for entities that accept credit cards. But it didn’t end there. Part II includes additional provisions to strengthen PCI DSS requirements. These additional provisions include requiring independent third-party auditors to certify:

• Wyndham maintains ties to its franchised hotels;
• Wyndham engages in a comprehensive risk assessment as set forth in the PCI-DSS Risk Assessment Guidelines; and
• The auditor is truly independent of Wyndham.

If the independent assessment required by Part II determines that Wyndham is in full compliance, the FTC will consider it to be in compliance with the comprehensive information security program required by Part I. However, if Wyndham deceives the auditors in any way or makes significant changes to the system after the audit, all bets are off.

what is heritage Federal Trade Commission v. Wyndham? First, the appeals court’s decision affirmed the FTC’s use of Section 5 to challenge unreasonable data security practices. Second, the lessons from this case and the FTC’s more than 50 other data security settlements provide guidance for other companies to build reasonable security in their daily operations.

The FTC has free resources to help companies start with safety.