Wyndham Settles FTC Data Breach Charges
On December 9, 2015, the Federal Trade Commission (FTC) announced that it had reached a settlement with Wyndham Worldwide Corporation (Wyndham) in connection with charges that Wyndham had unfairly failed to provide reasonable cybersecurity measures for customer data. The settlement, which still requires court approval, ends a long-running civil case, FTC v. Wyndham Worldwide Corporation, No. 13-01887 (D.N.J.), arising from three data breaches suffered by Wyndham between 2008 and 2010 involving more than 619,000 credit and debit card numbers.
The lawsuit gained notoriety in part because it marked a continued shift by the FTC in commencing cybersecurity enforcement actions. Initially, actions brought by the FTC focused on deception. The FTC opined that because data protection was a material factor in consumers’ purchasing decisions, a company’s failure to comply with disclosures of data security measures constituted a deceptive trade practice. However, more recently, the FTC has brought enforcement actions based on an unfairness standard, arguing that the failure to provide reasonable cybersecurity protection constitutes an unfair practice punishable under Section 5 of the FTC Act. The FTC has not specifically defined what constitutes a “fair” or “reasonable” cybersecurity practice. In a September 2014 address, FTC Commissioner Julie Brill noted only that the FTC enforced “a flexible standard of reasonable security,” and that “[t]he key difference between unfairness and deception is that unfairness may be applicable even in the absence of a representation or omission in information presented to consumers.”
Much of the focus of FTC v. Wyndham challenged the FTC’s authority to regulate cybersecurity measures and its failure to define the “fairness” standard. The lawsuit was viewed by many as a test of the FTC’s authority to fill a void left from Congress’ failure to adopt wide-ranging legislation on data security. In August 2015, however, the Third Circuit upheld the FTC’s authority to bring a cybersecurity enforcement action under the “fairness” standard. FTC v. Wyndham, 799 F.3d 236, 245-48 (3d Cir. 2015). The Court of Appeals further rejected Wyndham’s contention that the FTC was required to define an acceptable cybersecurity standard, holding that Wyndham was not entitled to know with “ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required” under Section 5 of the FTC Act. Id. at 255.
Under the proposed settlement, Wyndham is obligated to implement and maintain a comprehensive information security program designed to protect the security of customer payment-card information—including payment card numbers, data, and expiration dates. This obligation remains in place for twenty years. The settlement requires Wyndham to obtain annual security audits of its information security program to ensure that it complies with the Payment Card Industry (PCI) Data Security Standards. It also requires Wyndham to:
- Certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- Certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- Certify that the auditor is qualified, independent and free from conflicts of interest.
Finally, under the settlement, should Wyndham suffer another data breach affecting more than 10,000 payment-card numbers, it must assess and report that breach to the FTC within ten days of its discovery. The settlement does not impose monetary sanctions against Wyndham; although, costs to comply with its terms over the next twenty years undoubtedly will be costly.
The settlement is notable because it may provide some answers as to what the FTC deems “fair” and “reasonable.” Specifically, the settlement suggests that for large corporations, at the very least, the FTC may look to the PCI Data Security Standards as a benchmark for “fair” and “reasonable” cybersecurity measures. The PCI Data Security Standards have the following requirements:
- Install and maintain a firewall configuration to protect cardholder data;
- Do not use vendor-supplied defaults for system passwords and other security parameters;
- Protect stored cardholder data;
- Encrypt transmission of cardholder data across open, public networks;
- Protect all systems against malware and regularly update anti-virus software or programs;
- Develop and maintain secure systems and applications;
- Restrict access to cardholder data by business need to know;
- Identify and authenticate access to system components;
- Restrict physical access to cardholder data;
- Track and monitor all access to network resources and cardholder data;
- Regularly test security systems and processes; and
- Maintain a policy that addresses information security for all personnel.
A more detailed overview of the Standards now utilized by the FTC can be found here. Some also may note that the settlement comes following the FTC’s defeat in the action In the Matter of LabMD Inc., Docket No. 9357 (F.T.C.). Further information and commentary on that decision may be found here.
For additional information on the FTC v. Wyndham litigation or settlement, please contact Joshua A. Mooney (215.864.6345; firstname.lastname@example.org), Jonathan Klein (215.864.6887; email@example.com), or another member of the Cyber Law and Data Protection Group.