Wyndham Reaches Settlement with the FTC
The Federal Trade Commission announced a settlement with Wyndham Worldwide Corporation and several associated companies in the closely-watched case, FTC v. Wyndham Worldwide Corp., et al. The parties agreed to a 20-year compliance plan that FTC staff described as “PCI-DSS Plus.” Namely, the settlement order requires Wyndham to:
- Identify to the FTC all franchisor – and franchisee – owned hotels and certify that franchisee data traffic will be treated as “untrusted” traffic;
- Conduct a risk assessment process that identifies material internal and external risks to the security, confidentiality and integrity of Cardholder Data, then certify its completion with the FTC;
- Conduct annual independent third-party assessments of PCI-DSS compliance (if Wyndham used an Internal Security Assessor “ISA” to assess compliance, it could no longer continue with this practice during the compliance period);
- Provide FTC notice of any breaches involving more than 10,000 payment card numbers within 10 days of delivery of a Final Incident Report from a PCI Forensics Investigator; and
- Submit to further PCI compliance auditing if Wyndham deceives the auditor or makes interim material changes to its network.
The settlement did not require any monetary forfeiture or disgorgement. But, the fact that the FTC has direct compliance oversight of Wyndham (and its owned and operated hotels) for a 20-year period is a powerful warning to the industry.
Still subject to court approval, the settlement would end a multi-year challenge of the FTC’s authority to regulate reasonable data security under Section 5 of the FTC Act. As background, the FTC sued Wyndham and three of its subsidiaries in 2012, alleging that certain data security failures led to three major breaches in the span of two years. The FTC alleged that hackers accessed the network of a Wyndham franchisee and then exploited security gaps on Wyndham’s corporate network to steal consumer data from other Wyndham franchisees, resulting in millions of dollars of fraudulent charges affecting up to 619,000 Wyndham customers. The settlement follows the FTC’s victory in the Court of Appeals for the Third Circuit this past August, in which the Third Circuit rejected Wyndham’s argument that the FTC did not have the authority to regulate cybersecurity under the “unfairness” prong of section 5(a) of the FTC Act. Our past blog posts are available on this case here.
During a media conference call following the FTC’s announcement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, emphasized that the Wyndham settlement was consistent with the dozens of FTC settlements with other companies concerning data security and reaffirms the FTC’s authority under section 5. She noted that the FTC “never waivered” in the face of Wyndham’s challenge to that authority and that the resulting settlement will help keep consumer data secure in the future. Rich reaffirmed that data security remains one of the FTC’s “highest priorities.”