Wyndham Settles FTC Charges regarding Allegedly Lax Data Security Practices

    Posted by Craig Carpenter, Mackenzie WallaceThe long-running dispute between the FTC and Wyndham Hotels regarding the hotel chain’s data security practices (which we have covered here, here, and here) may now be at a close: yesterday, the FTC released news that it has settled the charges with Wyndham Hotels regarding the hotel chain’s allegedly lax data security practices, which came to light after the hotel’s network was breached between 2008 and 2010.In the settlement announced yesterday, Wyndham agrees to certain data security obligations, including:Establishment of a comprehensive information security program, which must be fully documented in writing, and which shall consist of administrative, technical, and physical safeguards;Annual written assessments of the extent of Wyndham’s compliance with PCI DSS (or comparable standard);Maintenance and retention of records of PCI DSS compliance and reporting compliance to the FTC; andIf Wyndham suffers another data breach affecting more than 10,000 payment card numbers, it must within 10 days provide an assessment of the breach to the FTC.Under the settlement, these obligations last 20 years. Although Wyndham and the FTC have now settled this dispute in a manner similar to other FTC data security actions, Wyndham’s decision to challenge the FTC’s charges brought significant attention to this case. Wyndham’s challenge, however, lost steam after the August 2015 opinion by the Third Circuit Court of Appeals largely upholding the FTC’s authority over data security practices pursuant to Section 5 of the FTC Act (unfair business practices). As we have discussed in our prior coverage of this dispute, the Third Circuit opinion was a huge boost to the FTC, an agency that has been very active in the data security space. By gaining the support of the Third Circuit and obtaining a favorable settlement in this hard-fought dispute, the FTC’s authority to enforce data security policies and practices appears to be solidified.While there is still no specific “standard” for “reasonable” data security practices, this dispute has provided useful information regarding: (1) identifying practices (or lack thereof) that are clearly deficient; (2) confirmation of the FTC’s role as the leading data security regulator; (3) confirming the court’s acceptance of the “unfairness” prong of the FTC Act as a barometer for data security practices; and (4) providing evidence of some practices the FTC would like to see companies do more of (by way of the settlement obligations), including, for example, the use of compliance assessment tools.The FTC’s announcement of the settlement can be found here. A copy of the settlement can be found here.