By Greg Hammond, J.D.
Wyndham Worldwide Corp. has agreed to settle FTC claims that it violated the FTC Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The settlement agreement requires Wyndham to establish a comprehensive information security program that protects cardholder data and to conduct annual information security audits (FTC v. Wyndham Worldwide Corp., File No. 1023142, Dkt. 2:13-CV-01887-ES-JAD).
The FTC filed suit in 2012, alleging that Wyndham and its subsidiaries violated the deceptive and unfair prongs of Section 5(a) of the FTC Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. Hackers allegedly gained access on three separate occasions to Wyndham’s computer network, obtaining payment card information from over 619,000 customers and resulting in $10.6 million in fraud loss. The U.S. Court of Appeals in Philadelphia most recently affirmed a lower court’s order denying dismissal, finding that the FTC has authority to regulate cybersecurity under the FTC Act and Wyndham had fair notice that its specific data security practices could fall short of §45(a) of the FTC Act.
The stipulated order requires that Wyndham create a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of cardholder data it collects or receives in the United States from or about consumers. Among other requirements, Wyndham must designate at least one employee to coordinate and account for the information security program; identify material risks to the security, confidentiality, and integrity of cardholder data that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise; and design and implement reasonable safeguards.
In addition, Wyndham has agreed to provide an annual written assessment of the extent of compliance with the Payment Card Industry Data Security Standard or a comparable standard approved by the FTC Bureau of Consumer Protection Associate Director for Enforcement.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” stated FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Attorneys: Kevin H. Moriarty, FTC. Eugene F. Assaf (Kirkland & Ellis LLP) for Wyndham Worldwide Corp.
Companies: Wyndham Worldwide Corp.; Wyndham Hotel Management, Inc.; Wyndham Hotel Group, LLC
MainStory: TopStory Privacy FederalTradeCommissionNews
Interested in submitting an article?
Submit your information to us today!Learn More