FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges | Practical Law

FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges | Practical Law

The FTC has announced it has reached an agreement with Wyndham Worldwide Corp., settling charges that the company unfairly exposed customers’ payment card information in three separate data breaches.

FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges

Practical Law Legal Update w-001-0453 (Approx. 4 pages)

FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges

by Practical Law Intellectual Property & Technology
Published on 09 Dec 2015USA (National/Federal)
The FTC has announced it has reached an agreement with Wyndham Worldwide Corp., settling charges that the company unfairly exposed customers’ payment card information in three separate data breaches.
On December 9, 2015, the FTC announced in a press release the settlement of charges against Wyndham Worldwide Corp., after claims that Wyndham had unfairly exposed hundreds of thousands of customers’ payment card information during three separate data breaches.
In 2012, the FTC launched an enforcement action against Wyndham after three data breach incidents occurred in 2008 and 2009, in which hackers obtained payment card information from a total of 619,000 consumers, resulting in at least $10.6 million in fraud losses. Although Wyndham challenged the FTC’s authority to bring such an action, the US Court of Appeals for the Third Circuit upheld the FTC’s authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act (15 U.S.C. § 45(a)) (FTC v. Wyndham Worldwide Corp., (3d Cir. Aug. 24, 2015)). For more information on the Third Circuit’s decision, see Legal Update, Making Sense of the FTC’s Data Security Standards and its Wyndham Win.
Under the terms of the settlement, Wyndham must, among other things:
  • Establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of customers’ payment card data.
  • Annually obtain an independent, third-party written assessment of its information security program that demonstrates compliance with the Payment Card Industry (PCI) Data Security Standards (DSS), or a comparable FTC-approved standard.
  • In the event of a data breach affecting more than 10,000 payment card numbers, obtain an independently produced PCI Forensic Investigator Final Incident Report, or a comparable FTC-approved report, within 180 days of the breach's discovery.
  • Provide the FTC with copies of all such assessments and reports within ten days of receiving them from its independent assessors or investigators.
  • Adhere to these obligations for the next 20 years.
The proposed settlement order is available on the FTC’s website.