A long-running legal battle finally came to an end late last year when Wyndham Hotels & Resorts agreed to settle with the U.S. Federal Trade Commission over charges it unfairly exposed the credit card information of hundreds of thousands of customers.
The settlement, interestingly, was heralded as a win by both sides: The FTC, which said the settlement evidenced its unwavering, steadfast commitment to protecting consumer data, and Wyndham, which managed to wrestle key provisions from the FTC’s initial claim. Some say the FTC's concessions are and should be significant to those charged with protecting an organization's data—and tell a new story about how to stay out of the FTC's crosshairs.
What are we talking about here? Here’s a digestible breakdown.
The case
The FTC filed a suit against Wyndham in 2012 after several of the brand’s franchisees experienced breaches within a two-year period. Hundreds of thousands of customers reportedly took a hit when fraudulent charges showed up on their accounts and payment card data was sent to a Russian IP address. Why was Wyndham at fault? Because, the FTC said, its privacy policy “misrepresented the security measures the company and its subsidiaries took to protect consumers’ person information,” causing injury. It also said Wyndham’s security practices were unfair, violating Section 5 of the FTC Act.
The settlement order requires Wyndham to establish a comprehensive information security program “designed to protect cardholder data” and undergo annual information audits for 20 years. But here’s the thing: More times than not, FTC settlements require companies to establish information-security programs in the broad sense, that is, any personal information it collects and stores. In this case, the settlement specifically requires Wyndham’s program cover payment card data. But it's certified under the Payment Card Industry Data Security Standards, meaning that’s a burden it already carries.
Doug Meal represented Wyndham in the suit. He said the FTC’s insistence on strictly payment card data portends a shift in focus.
“The cost of compliance is dramatically, dramatically less if it only covers payment card data,” he said, “Every major retailer already has a program that protects payment card data."
But here’s why it matters moving forward.
“The thing to remember here," Meal said, "why this is significant, is that all the big breaches you read about—Target, Neiman, any of them—in every one of those cases, the company had an assessment of PCI DSS compliance.”
PCI a new safe harbor?
If, in Wyndham, compliance with PCI DSS means compliance with the FTC’s order, perhaps companies can take PCI DSS to mean a sort of safe harbor from FTC action?
“What [the order is] saying is, when it comes to payment card data, if you comply with PCI DSS, you comply with Section 5,” Meal said. "So it’s very dramatic. It’s sort of a big effort from the FTC to answer the criticism that’s been leveled at the FTC that ‘you don’t tell people what you need to do for "reasonable" data security to be in place.' What the order says basically is PCI DSS compliance equals order compliance which in turn equals Section 5 compliance.”
So sounds like a win for Wyndham, right? Talk to the FTC’s Jessica Rich. She’s got a different take.
Asked why the FTC backed off on the typical data-security provisions, Rich said while many prior settlements included a broader data security requirement, “in this case, the payment card data is what we found had been compromised. We did not find evidence of other data that had been compromised, and so the order applies to that data.”
She said it would be wrong for companies to consider PCI DSS compliance a safe harbor.
“The strong message of this case is that PCI is a starting point, but is not actually enough,” she said. Rich says the FTC’s order builds on PCI DSS requirements in a couple of ways. For instance, it requires the annual PCI DSS audits be performed by an independent third party, free of conflicts of interest, “an issue of which people have been critical of PCI.”
Rich said the settlement’s requirements around Wyndham’s autonomous data security measures and independent audits may, she hopes, drive the industry that’s using PCI, “to strengthen PCI.”
“It could serve as a model for the payment card industry and drive some improvements,” she said.
But Troy Leach, chief technology officer of PCI Security Standards Council, said the PCI DSS requirements aim to give organizations processes that, executed regularly, serve as a security baseline, not a ceiling.
“Where companies fail is when they take a checkbox approach to meeting compliance requirements that doesn’t address security-relevant changes, like personnel changes, technology updates, new vulnerabilities discovered with existing technology, etc.,” Leach said. “To be PCI compliant requires consistent monitoring for new threats and a process to address those discoveries. … Where we continue to see the disconnect is between compliance and security.”
On the independence of auditors, Leach said the program sets high expectations for assessors and has a “rigorous, ongoing quality assurance component that includes mandatory testing annually.”
The second major element of the settlement, though, is that it requires Wyndham to essentially build a data-security firewall around itself, ensuring the data it collects is kept safe from outside threats – outside threats including those emanating from its own subsidiaries. While Rich counts that provision as a win for the FTC, others say that’s what Wyndham wanted all along.
What it means for the franchise model
Elizabeth Taylor is vice president, federal government affairs of the International Franchise Association, which filed an amicus brief in the Wyndham case, asking that the suit be dismissed. The IFA argued that Wyndham’s only responsibility was to protect the brand, period.
“The way the relationship works is the only control [Wyndham] has is the protection of the trademark,” Taylor said. “There’s an independence, an entrepreneurial spirit about these franchisees. The reason it’s set up that way is the franchisor doesn’t have the capacity to handle oversight, and the franchisee doesn’t want that oversight. They want to run it as they see fit.”
In its brief, the IFA used McDonald’s as a model.
“Just because you operate under McDonald’s and wear a McDonald’s uniform, if you undercooked the food, the franchisor would not be responsible,” she said.
Conversely, if McDonald’s, the franchisor, dictated the meat needed to be kept at a certain temperature, and it turned out that temperature – as a standard – was not correct, then there could be repercussions for the brand as a whole.
Were Wyndham to be held responsible for the missteps of its franchisees, it could turn the entire franchisor/franchisee business model on its head, IFA argued. And that would be trouble, because it’s a model that’s working, it seems. A report published by the IFA in September 2015 indicates a 5.5 percent increase in “output growth in nominal dollars for franchise businesses” over the year prior, and it’s predicted the gross domestic product of the franchise sector “will increase by 5.2 percent to $521 billion in 2015,” exceeding the growth of the US GDP, “which is projected at 3.3 percent.”
In its case, the FTC was “sort of making an assumption over the control of the franchisee,” Taylor said.
Venable's Emilio Cividanes agreed the FTC, in the end, recognized it couldn’t hold Wyndham responsible for the actions of its franchisees.
“Here, the commission was trying to impose, to develop new law in terms of imposing upon franchisors liability for the behavior of the franchisees. I think the settlement recognizes that,” he said.
While there may be a desire to find a meaningful takeaway from a settlement like this, to surmise a significance might be reaching, said Cividanes.
“I think the lessons may be less than people think at first,” he said. “Some of it was just compromises.”
But if there’s a takeaway, it may be the FTC’s distinction between a franchise’s assessments from the assessments of its franchisees, “which will help establish that they are not responsible for any breaches that occur at the franchisee level. I think that’s something the [FTC wants] industry to take away from it, and I think they are right.”
photo credit: Hotel Harrison via photopin