Hotel Franchisor Challenges FTC's Expanded Enforcement Efforts Targeting Franchise System's Data Security and Privacy Policies

by Ballard Spahr LLP

[authors: Kim I. McCullough, David A. Haworth, Mercedes Kelley Tunstall]

The Federal Trade Commission’s recent lawsuit against Wyndham Worldwide may mark the beginning of FTC enforcement actions targeting franchise systems through allegations of customer data security vulnerabilities in franchisors’ technology platforms or the platforms maintained by their franchisees. This lawsuit is the latest in a string of more than 30 legal actions—all of which have resulted in settlements—intended to address allegedly misleading consumer privacy policies and inadequate data security policies and practices. While targets of FTC privacy actions have included companies of all sizes, the Wyndham suit is the first to target a franchise system.

Wyndham is challenging the suit, arguing that the FTC lacks authority to regulate data security and that the FTC’s allegations are baseless because they relate to customer data collected by independent franchised locations, and not by the franchisor. In light of this most recent enforcement action, franchisors should take the opportunity to review their data security and website privacy policies and examine their credit card management and other technology systems, including those accessible to franchisees.

The Wyndham lawsuit, filed June 26, 2012, in the U.S. District Court for the District of Arizona, alleges that more than 500,000 credit card numbers were stolen, along with customers’ personal information, resulting in fraudulent charges in excess of $10.6 million. The allegations focus on the franchise system’s ability to prevent data security breaches through control of the configuration and password policies of computer systems and servers located at the corporate data center and franchisee/vendor locations, as well as the system’s ability to limit a non-compliant franchisee's access to the franchisor’s networks. The complaint alleges that on two occasions, hackers compromised a computer server at a franchised location and then used the compromised server to access networked servers at other franchised or company-managed locations. In a third instance, a vendor’s account password was allegedly hacked on a corporate server, which then permitted the hackers to install access servers at franchised locations.

The FTC's complaint alleges that Wyndham and its subsidiaries violated Section 5(a) of the FTC Act, 15 U.S.C. §45(a), which prohibits “unfair or deceptive acts or practices in or affecting interstate commerce.” The complaint alleges that a Wyndham subsidiary's data-security practices were "unfair" because they allegedly failed to ensure "reasonable and appropriate" protections for consumer information. The complaint also accuses the Wyndham subsidiary of making deceptive statements on its online privacy policy concerning its data security.

The motion to dismiss filed by Wyndham and its affiliates raises a significant challenge to the FTC’s legal authority to prosecute the action in the first instance. Wyndham argues that the lawsuit exceeds the FTC’s mission and regulatory authority under 15 U.S.C. §45(a) and must be dismissed. Specifically, Wyndham argues that the FTC is not authorized under the FTC Act to establish minimum criteria for data security policies, design criteria for complex network operating software, or regulate consumer credit card data. Moreover, Wyndham argues that the FTC’s authority in the area, if any, can only be exercised through the rulemaking processes after public comment.

On August 28, 2012, Wyndham and its affiliates sought dismissal of the FTC’s suit, citing among various reasons that the pleadings lacked specificity. Wyndham’s motion states that no data it collected is alleged to have been compromised, but rather only data collected by “independent Wyndham branded hotels.” It further argues that the privacy policy on the Wyndham subsidiary's corporate website, which the FTC claims was deceptive, makes no representations about the security of data collected by franchised locations, noting that those locations operate independently of the franchisors and have their own data security rules. Indeed, the privacy policy explicitly disclaims making any representations about data security at the franchisee level. The FTC’s opposition to the motion to dismiss was due October 1, 2012.

As a practical matter, regardless of the outcome to the challenge to the FTC’s enforcement authority, the FTC’s potential new focus on franchise systems raises many compliance and legal concerns for franchise systems within the privacy and data security area. Even if the claims against Wyndham are dismissed, the FTC’s allegations highlight the possibility of other types of data breach and privacy claims.

Thus, franchisors should consider closely scrutinizing their stated privacy policies as well as their underlying credit card management and other technology systems, including those to which franchisees are granted access. For example, the complaint suggests that from the FTC’s perspective, a franchisor that provides or licenses technology systems to franchisees has significant obligations to control the manner in which the technology system can be configured at the franchised locations and to limit or prevent access to protected customer information between franchised systems through the use of internal firewalls. The franchisor’s obligations under the circumstances in that case seem to include, according to the allegations in the complaint:

  • Requiring that default passwords on all franchisor, franchisee, and vendor accounts be changed with passwords that are not easily susceptible to being guessed in brute force attacks
  • Designing appropriate firewalls between and among servers and franchisee locations
  • Requiring franchised locations to establish and implement information security policies and website privacy policies reflecting their online practices before allowing connections to the franchisor’s networked systems
  • Ensuring that franchisee locations maintain current and supported server software and security, and potentially disallow access to outdated systems lacking security updates
  • Inventorying networked computers so that devices can be managed and the origin of attacks from within the corporate network can be identified
  • Establishing incident response procedures and an intrusion detention or monitoring system
  • Restricting vendor or other third-party access to internal computer networks

This list is, of course, case specific and non-exclusive.

Franchise systems, and particularly mid-sized and smaller systems with limited internal security expertise, should consider seeking immediate legal and technical guidance to ensure that their security systems and design, technology systems, licensing policies and procedures, and franchise systems are structured to minimize the liability exposure of franchisor and franchisees alike to data breaches and other privacy-related claims. Similarly, reservation and payment systems should be reviewed closely for compliance with local and federal statutes, rules, and regulations.

The attorneys in Ballard Spahr’s Franchise and Distribution Group regularly advise clients on complying with FTC rules and requirements and represent franchisors in conjunction with legal disputes with the FTC, franchisees, and distribution partners. The attorneys in Ballard Spahr's Privacy and Data Security Group work with clients to develop and implement data security plans and privacy policies. If you have any questions about data security and privacy rules or FTC rules and requirements generally, please contact Kim I. McCullough at 303.299.7318 or, David A. Haworth at 856.873.5525 or, or Mercedes Kelley Tunstall at 202.661.2221 or

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.