United States: Wyndham Settles FTC's Data Breach Case After Ruling Reinforced FTC's Authority

After a long and rare court battle, the Wyndham Worldwide Corporation has agreed to settle a lawsuit brought by the Federal Trade Commission (FTC) that contended that the company's security practices had unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches. The settlement contains some unique requirements that differ from past FTC consent orders.

Background

As we have previously discussed earlier this year, in the D&G alert, (click here to view) on three occasions in 2008 and 2009, hackers successfully accessed Wyndham Worldwide Corporation's computer systems. In total, the hackers allegedly stole the personal and financial information of hundreds of thousands of consumers, leading to over $10.6 million in fraudulent charges. Although the vast majority of targets of FTC data security enforcement actions choose to settle, Wyndham decided to challenge the FTC's authority to pursue the matter.

The FTC sued Wyndham in June 2012, alleging that Wyndham's conduct was an unfair practice and that its privacy policy was deceptive due to the security commitments promoted. In particular, the FTC alleged that, at least since April 2008, Wyndham had been engaging in unfair cybersecurity practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

In 2014, the U.S. District Court for the District of New Jersey denied Wyndham's motion to dismiss the FTC's suit. Wyndham appealed to the U.S. Court of Appeals for the Third Circuit, arguing that the FTC did not have the authority to regulate cybersecurity under the unfairness prong of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."

Late this past August, the Third Circuit rejected Wyndham's challenge and affirmed the district court's decision, thereby tacitly endorsing the broad authority exercised by the FTC in these security matters. The circuit court ruled that Wyndham had not acted equitably when it published a privacy policy to attract customers who were concerned about data privacy, failed to make good on that promise by "investing inadequate resources in cybersecurity," exposed its unsuspecting customers to "substantial financial injury," and retained the profits of their business. The case was then sent back to the District Court, which led to the parties settling the matter before trial.

Terms of the Settlement

First, Wyndham will establish a comprehensive information security program – and will keep the program in operation for 20 years – that is "reasonably designed" to protect the security, confidentiality, and integrity of cardholder data – including payment card numbers, names, and expiration dates – that it collects or receives in the United States from or about consumers. In particular, the settlement requires that the program, which must be documented in writing, have the following administrative, technical, and physical safeguards appropriate to Wyndham Hotels and Resorts' size, complexity, and activities:

• Designation of an employee or employees to coordinate and be accountable for the information security program;
• Identification of material internal and external risks to the security, confidentiality, and integrity of cardholder data that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and an assessment of the sufficiency of any safeguards in place to control these kinds of risks;
• At a minimum, this risk assessment must include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, (3) risks emanating from Wyndham-branded hotels, and (4) prevention, detection, and response to attacks, intrusions, or other systems failure;
• Design and implementation of "reasonable safeguards" to control the risks identified through risk assessment (including any risks emanating from Wyndham-branded hotels), and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;
• Development and use of "reasonable steps" to select and retain service providers capable of appropriately safeguarding cardholder data received from Wyndham Hotels and Resorts and requiring that the service providers by contract implement and maintain appropriate safeguards for such information; and
• Evaluation and adjustment of Wyndham Hotels and Resorts' information security program in light of the results of the testing and monitoring discussed above or "any other circumstances" that Wyndham Hotels and Resorts "knows or has reason to know" may have a material impact on the effectiveness of such information security program.

Cardholder Data Assessments

One of the unique aspects is that the settlement agreement also requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard (PCI) for certification of a company's security program. These audits must:

• Certify the "untrusted" status of franchisee networks in an effort to prevent future hackers from using the same method used in the company's prior breaches;
• Certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
• Certify that the audit was conducted by a qualified, objective, independent third-party professional.

The focus on the franchise model is also unique. There are further obligations imposed on Wyndham in the event of a "noncompliant assessment.

Moreover, within 180 days following discovery of a data breach involving more than 10,000 unique payment card numbers, Wyndham is obligated to obtain an assessment that meets the requirements, established by the PCI Security Standards Council, of a PCI Forensic Investigator Final Incident Report or, at its election, a standard of comparable scope and thoroughness approved by the FTC. It must provide that assessment to the FTC.

Bottom Line

Wyndham’s settlement brings to an end one of the most significant challenges to the FTC’s broad authority to regulate data security matters (for another challenge, see a previously authored D&G alert here). The result is an emboldened FTC and new data security standards for companies to consider. The FTC, through its successful pursuit of Wyndham, is sending a clear message to companies that collect consumers’ personal information that they need to be vigilant in ensuring that they have sufficient data security practices and procedures in place to avoid FTC scrutiny in the event of a data breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.