A long-running legal battle came to an end Wednesday when Wyndham Worldwide Corporation agreed to settle with the U.S. Federal Trade Commission (FTC) over charges that it unfairly exposed the credit card information of hundreds of thousands of customers.
Under the 20-year settlement, Wyndham must establish a comprehensive information-security program that conforms to the Payment Card Industry (PCI) Data Security Standard, conduct annual information-security audits and maintain safeguards between its franchisees’ servers.
“This settlement resolves one of the most important consumer protection cases in FTC history,” said agency Bureau of Consumer Protection Director Jessica Rich during a conference call with the media. “We never wavered from our commitment to protecting consumer data,” she added.
Though the Wyndham settlement focuses on information-security shortcomings, Rich pointed out the agency considers that “data security is a very integral link with privacy.”
In a press release, Wyndham said Wednesday that it is “pleased” with the settlement, “which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.” The company said it had fought the charges because of “our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model. This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information.”
The FTC originally announced its case against Wyndham in 2012, but the hotel company fought the agency’s authority to bring an unfairness case that focused on information security. In 2014, the U.S. District Court for the District of New Jersey backed the FTC, and earlier this year, in August, a three-judge panel upheld the 2014 decision.
“We are very pleased with the settlement,” said Rich, adding, “We are pleased with the strong validation in the courts on our data security” efforts.
The agreement comes just weeks after LabMD won its appeal in another data security case brought by the FTC. Rich said she couldn’t comment on that case, but confirmed the agency has appealed the LabMD decision by the FTC's chief administrative law judge.
In the Wyndham case, however, Rich said, “we established that the data of hundreds of thousands of customers was compromised and resulted in fraud.” She also argued that the standard the FTC used in Wyndham—that of Section 5 of the FTC Act—is the same standard they’ve used in more than 50 cases since 2001. Plus, she said, the agency has put out guidance on data security over the years.
“We’re proud of this case, but we don’t think this sets a new standard; it reaffirms it,” Rich said.
Not everyone agrees with that assessment, however. "The case represents a change in the standards that the FTC includes in their data security orders," said Venable Parter Stuart Ingis in comments provided to The Privacy Advisor. Ingis has defended a number of companies in FTC investigations. "To date, the FTC data security orders have been almost identical. This order appears to reflect the FTC’s current thinking that the reasonable security for payment card data expands beyond meeting PCI standards. The order also begins to set forth the FTC’s views on steps that companies can take in a franchisor-franchisee relationship towards reasonable security."
Perkins Coie Partner Janis Kestenbaum, who previously served as the senior legal advisor to FTC Chairwoman Edith Ramirez, sees the upside for the FTC with this settlement. She told The Privacy Advisor, “By ending the litigation now, the settlement enables the FTC to claim a victory in Wyndham as to its unfairness authority without having to prove the elements of an unfairness claim. That seems like a great result for the FTC.”
Likewise, the settlement can be seen as a victory for Wyndham. The company will not have to undergo any monetary penalties and will not be held liable for any violations. According to the order, if Wyndham “successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order,” but if it misleads or provides the FTC with false statements during any of its annual audits, this provision will no longer be effective.
More specifically, the FTC’s order requires the audit to certify the network security of its franchisees in order to prevent the same type of hack that precipitated the previous breaches. Wyndham must also “certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company,” according to the FTC, and it must certify the independence and qualifications of the third-party auditor.
Additionally, if Wyndham does suffer another data breach of more than 10,000 payment card numbers, it will have to provide an assessment of the incident to the agency within 10 days.
Though much of this case revolves around information-security stipulations, privacy pros can glean an important development here. “The main takeaway from the settlement,” said Perkins Coie’s Kestenbaum, “is that even in federal court litigation, the FTC is sticking to the basic framework of its prior 50-plus administrative data security settlements: a comprehensive security program with outside assessments for 20 years.”
And the repercussions of the Wyndham settlement will be felt for some time. Venable's Ingis concluded, "The order, of course is not law or new regulation, binding only on Wyndham, but it will certainly result in a lot of discussion and evaluation in the business community of the current state of reasonable data security in this rapidly evolving area."
If you want to comment on this post, you need to login.