Wyndham Settles with FTC

Last month, Wyndham Worldwide Corp. settled its lengthy civil case with the Federal Trade Commission.  The suit began in 2012, when the FTC sued Wyndham and three of its subsidiaries, alleging three data breaches between 2008 and 2010 were a result of Wyndham’s data security failures.  Despite Wyndham’s attempts to dismiss the suit by arguing the FTC had no authority over Wyndham’s conduct, the Third Circuit Court of Appeals upheld the FTC’s authority under Section 5 of the FTC Act.

The settlement that resulted from this suit requires Wyndham to establish and maintain, for the next 20 years, a comprehensive security program that is designed to protect cardholder data.  Among other things, this comprehensive security program requires Wyndham to identify material internal and external risks to cardholder data, design and implement reasonable safeguards to control the risks identified through the risk assessment and conduct regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.

Additionally, Wyndham is required to obtain annual information security assessments by a qualified, objective, independent third-party professional and, following discovery of a breach involving more than 10,000 unique payments card numbers, Wyndham must obtain an assessment that meets the requirements by the PCI Security Standards Council.  The settlement did not include an admission of wrongdoing by Wyndham nor a monetary sanction.

As the courts continue to determine the scope of the FTC’s authority under Section 5 of the FTC Act, companies must continue to ensure adequate security safeguards are in place, because even without monetary sanctions, the additional audits and government oversight that can be required as a result of data security failures may be lengthy and costly.

About The Author
Posted in FTC, Litigation, Regulations, Standards

Leave a Reply

Your email address will not be published. Required fields are marked *

*

About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs