FTC's cyber security win against Wyndham may lead to more enforcement actionsPosted On: Dec. 15, 2015 12:00 AM CST
The Federal Trade Commission's settlement of its lawsuit against Wyndham Worldwide Corp. in connection with the hotel chain's cyber breaches is likely to encourage further FTC action and enforcement in this area.
The FTC had charged Parsippany, New Jersey-based Wyndham in its 2012 lawsuit with failing to properly safeguard consumer information held by its hotels, allowing intruders to gain unauthorized access to its computer network three times between April 2008 and January 2010.
A three-judge panel of the 3rd US. Circuit Court of Appeals in Philadelphia unanimously held in August that the FTC had authority to regulate corporate cyber security and could pursue the lawsuit, without ruling on the lawsuit's merits.
The settlement announced last week requires Wyndham to establish a comprehensive information security program designed to protect cardholder data but does not require the company to pay any fines.
“It's a very big deal,” said Stephen J. Newman, a partner with Stroock & Stroock & Lavan L.L.P. in Los Angeles. “Wyndham was fighting very hard, and I think a lot of people were anticipating that they were going to try to go all the way to the Supreme Court on this.”
That Wyndham accepted the FTC's complete jurisdiction over it is a “real feather in the (the FTC's) cap,” Mr. Newman said.
Mr. Newman said he believes Wyndham agreed to the settlement because “the deal did not require them to pay any money in penalties or investigative costs, and certainly Wyndham can walk away with their head held high in that they weren't writing a check.”
FTC will become more aggressive as a result of the settlement, Mr. Newman said. The FTC won on this issue in the 3rd Circuit “and with Wyndham abandoning the fight, I don't see anyone else mounting a serious challenge to the FTC's authority in this area,” he said. “I think they will be much more vigorous in their enforcement efforts here.”
“I think they'll at least pick up the pace, if not become more active,” said Mary Ellen Callahan, a partner with Jenner & Block L.L.P. in Washington. There was a “bit of a lull” while the Wyndham case was pending, she said.
Under terms of the 20-year settlement agreement, the company must establish a comprehensive cyber security program and conduct annual information security audits of its program that conform to the Payment Card Industry Data Security Standard for certification of a company's security program. It must also maintain safeguards in connection to its franchisees' servers.
Referring to the requirement on the payment card industry standard, Ms. Callahan said there has been a lot of discussion that the standard is insufficient.
Many of the companies that have been breached followed this standard “and to use that as your baseline almost concedes that the paradigm isn't perfect,” said Ms. Callahan, who is former chief privacy officer for the U.S. Department of Homeland Security
But, “If you agree to these objective third party-standards, you're good enough, even if being good enough means you can be subject to a breach,” she said.
“The FTC may want to make sure there are objective standards on which they can judge any of the companies,” Ms. Callahan said.
FTC Chairwoman Edith Ramirez said in the FTC's statement that the settlement “marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security.”
“Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area,” she added.
Wyndham said in a statement, “We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC's position could have had a negative impact on the franchise business model.
“This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information.
“Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyber attacks,” said the company.