Keywords: Wyndham, FTC, settlement, data breaches.

On December 9, 2015, Wyndham Worldwide Corporation, and related companies (collectively, "Wyndham"), reached a settlement with the US Federal Trade Commission (FTC) to resolve claims arising from three data breaches that the hotel chain suffered over several years. Wyndham did not admit to the FTC's allegations of deceptive and unfair practices, but agreed to meet a variety of data security and reporting requirements during the 20-year term of the consent order. Approved by the district court two days later, the consent order provides significant guidance regarding the FTC's views on appropriate cybersecurity measures for companies that handle payment card information, including those built around a franchise model.

In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham's corporate computer systems and stole credit card numbers. The FTC brought an enforcement action in federal court in New Jersey asserting (among other things) that Wyndham's allegedly inadequate cybersecurity was "unfair" in violation of Section 5 of the FTC Act. Wyndham moved to dismiss on various grounds, including that the FTC lacked authority to bring enforcement actions alleging that cybersecurity practices were unfair to consumers. The district court rejected that argument, however, and the US Court of Appeals for the Third Circuit affirmed on August 24, 2015, setting the stage for the parties' settlement.

Under the terms of the consent order, Wyndham agreed to establish, implement, and maintain "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects or receives in the United States from or about consumers." The content and implementation of this program must be "fully documented in writing" and shall consist of enumerated "administrative, technical, and physical safeguards appropriate to [Wyndham's] size and complexity, the nature and scope of [its] activities, and the sensitivity of the Cardholder Data at issue." These safeguards include: designation of a coordinator for the information security program; the identification of material risks to cardholder data; an assessment of safeguards to control those risks (and implementation of further reasonable safeguards as necessary); and the use of reasonable steps to select and retain service providers, including contracts to require those service providers to implement and maintain appropriate safeguards for cardholder data.

Such provisions, including the 20-year term, are common features in consent decrees settling FTC investigations. The Wyndham settlement contains several additional features of interest to companies handling payment card information. In particular, Wyndham agreed to obtain an annual written assessment certifying its compliance with the Payment Card Industry Data Security Standard (PCI DSS) or another comparable standard selected by Wyndham and approved by the FTC. In addition:

  • The designated assessor must certify, as to each Wyndham-branded hotel (defined to include independently-owned hotels that are operated in the United States pursuant to a management or franchise agreement), that the hotel has been assessed as PCI DSS compliant or that the network of that hotel is treated as an "untrusted network" within the meaning of the PCI DSS (i.e., that it is firewalled from the Wyndham network and various other safeguards are in place);
  • The assessor reviewing Wyndham's compliance must be an "objective, independent third-party professional" with expert technical qualifications;
  • Wyndham must obtain a separate assessment if it suffers a breach that involves more than 10,000 unique payment card numbers; and
  • A qualified assessor must certify that any "significant change" in Wyndham's security practices does not cause it to "fall out of compliance" with the approved standard.

The consent order also subjects Wyndham to various reporting, recordkeeping, and monitoring requirements.

Originally published December 14, 2015.

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2015. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.