I did not see this coming. Wyndham has settled FTC charges, bringing an end to a closely watched court case involving FTC’s authority to enforce data security. The case was the first one that hadn’t resulted in a consent order. Today’s settlement leaves only the LabMD as a challenge to FTC’s authority to enforce data security, although the Wyndham and LabMD cases raise slightly different issues and the LabMD case is still an administrative proceeding at this point.
The FTC’s press release:
Wyndham Hotels and Resorts has agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.
Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program. In addition, the order requires Wyndham’s audit to:
- certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- certify that the auditor is qualified, independent and free from conflicts of interest.
The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.
The order provides that if Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.
Wyndham’s obligations under the settlement are in place for 20 years.
The Commission vote approving the proposed stipulated order was 4-0. The FTC filed the proposed stipulated order in the U.S. District Court for the District of New Jersey.
NOTE: Stipulated orders have the force of law when approved and signed by the District Court judge.
Wyndham’s Press Release:
Wyndham Worldwide Corporation (NYSE: WYN) today issued the following statement regarding its settlement with the Federal Trade Commission resulting from the FTC’s investigation of data breaches that occurred at some Wyndham Hotels and Resorts-brand hotel properties from 2008 to 2010.
“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model. This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks.”
Several years ago, Wyndham Hotels and Resorts, LLC was the victim of sophisticated cyberattacks by criminal hackers, who accessed customer information at certain Wyndham Hotels and Resorts-brand hotel properties. The Company promptly alerted law enforcement agencies, retained computer forensic experts, implemented significant security enhancements, and assisted franchised Wyndham Hotels and Resorts-brand hotels in reinforcing their information security. Wyndham also made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. Importantly, to date Wyndham has not received any indication that any hotel customers experienced financial loss as a result of these attacks. The FTC conducted an investigation of this matter and Wyndham cooperated fully. Following are the key terms of the settlement between Wyndham and the FTC announced today:
Wyndham will not pay any monetary relief. The Company is granted a Safe Harbor if it continues to meet certain requirements for “reasonable information security” outlined in the FTC’s consent order. The consent order applies only to payment card information, and does not apply to any other categories of personally identifiable information. Payment Card Industry (“PCI”) certification will satisfy Wyndham’s reporting requirement and provide the basis for the Safe Harbor. The duration of Wyndham’s obligations under the consent order will in no event be longer than 20 years, and in several areas will be shorter.
Update: From the FTC’s site (the appendices relate to PCI standards):