On December 9, 2015, Wyndham Worldwide Corporation, and related companies (collectively, “Wyndham”), reached a settlement with the US Federal Trade Commission (FTC) to resolve claims arising from three data breaches that the hotel chain suffered over several years. Wyndham did not admit to the FTC’s allegations of deceptive and unfair practices, but agreed to meet a variety of data security and reporting requirements during the 20-year term of the consent order. Approved by the district court two days later, the consent order provides significant guidance regarding the FTC’s views on appropriate cybersecurity measures for companies that handle payment card information, including those built around a franchise model.
In 2012, the FTC accused Wyndham Hotels of failing to use reasonable efforts to protect consumer information after hackers broke into Wyndham’s corporate computer systems and stole credit card numbers. The FTC brought an enforcement action in federal court in New Jersey asserting (among other things) that Wyndham’s allegedly inadequate cybersecurity was “unfair” in violation of Section 5 of the FTC Act. Wyndham moved to dismiss on various grounds, including that the FTC lacked authority to bring enforcement actions alleging that cybersecurity practices were unfair to consumers. The district court rejected that argument, however, and the US Court of Appeals for the Third Circuit affirmed on August 24, 2015, setting the stage for the parties’ settlement.
Under the terms of the consent order, Wyndham agreed to establish, implement, and maintain “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of Cardholder Data that it collects or receives in the United States from or about consumers.” The content and implementation of this program must be “fully documented in writing” and shall consist of enumerated “administrative, technical, and physical safeguards appropriate to [Wyndham’s] size and complexity, the nature and scope of [its] activities, and the sensitivity of the Cardholder Data at issue.” These safeguards include: designation of a coordinator for the information security program; the identification of material risks to cardholder data; an assessment of safeguards to control those risks (and implementation of further reasonable safeguards as necessary); and the use of reasonable steps to select and retain service providers, including contracts to require those service providers to implement and maintain appropriate safeguards for cardholder data.
Such provisions, including the 20-year term, are common features in consent decrees settling FTC investigations. The Wyndham settlement contains several additional features of interest to companies handling payment card information. In particular, Wyndham agreed to obtain an annual written assessment certifying its compliance with the Payment Card Industry Data Security Standard (PCI DSS) or another comparable standard selected by Wyndham and approved by the FTC. In addition:
The consent order also subjects Wyndham to various reporting, recordkeeping, and monitoring requirements.
You have no pages selected. Please select pages to email then resubmit.