Landmark Wyndham Settlement Provides Guidelines For Companies To Meet FTC’S Datasecurity Requirements

Nossaman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On December 9, Wyndham Hotels and Resorts (“Wyndham”) agreed to a landmark settlement with the Federal Trade Commission (“FTC”) stemming from the FTC’s lawsuit against it after three data breaches that occurred between 2008 and 2010.  The settlement is the first of its kind, and will provide companies with guidelines and standards as to what the FTC considers sufficient practices for corporate data protection.

The FTC filed its lawsuit after hackers stole more than 619,000 credit- and debit-card numbers from Wyndham.  The FTC alleged that Wyndham failed to maintain reasonable data security practices because it used outdated software that failed to receive security updates, which left consumer data unprotected.  Wyndham denied these allegations, and accused the FTC of penalizing the victim of the hacking instead of the actual hacker culprits.

In April 2014, the U.S. District Court for the District of New Jersey denied Wyndham’s motion to dismiss, and held that the FTC could pursue claims for unfair data security practices.   In August 2015, the Third Circuit affirmed the District Court’s ruling that Section 5 of the FTC Act empowers the FTC to bring lawsuits against private companies for insufficient data security practices.

This settlement ends the mystery of what might happen if the case were litigated, but provides a framework for other companies confronted with similar situations.  Under the settlement, Wyndham is obligated to implement and maintain a comprehensive information security program designed to protect card-holder data; obtain annual written assessments and certifications of Wyndham’s Payment Card Industry Data Security Standard compliance from a qualified and independent third-party professional; ensure that the networks of its franchisees are properly protected; and the Wyndham audit would need to certify the “untrusted” status of franchisee networks, to avert future hackers from deploying similar method used in previous breaches.

The settlement does not impose a monetary penalty and does not hold Wyndham liable for any violations.  What does this mean going forward?  Perhaps this shows the FTC is focusing on ensuring better data security practices over penalizing companies that have been breached.  Or perhaps Wyndham was treated more leniently because the breaches occurred before the proliferation of data breaches.  Regardless, this settlement will provide a good benchmark for any company that sees itself in litigation with the FTC over data security.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP
Nossaman LLP
Contact
more
less

Nossaman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide