Last month, Wyndham Worldwide Corp. settled its lengthy civil case with the Federal Trade Commission. The suit began in 2012, when the FTC sued Wyndham and three of its subsidiaries, alleging three data breaches between 2008 and 2010 were a result of Wyndham’s data security failures. Despite Wyndham’s attempts to dismiss the suit by arguing the FTC had no authority over Wyndham’s conduct, the Third Circuit Court of Appeals upheld the FTC’s authority under Section 5 of the FTC Act.
The settlement that resulted from this suit requires Wyndham to establish and maintain, for the next 20 years, a comprehensive security program that is designed to protect cardholder data. Among other things, this comprehensive security program requires Wyndham to identify material internal and external risks to cardholder data, design and implement reasonable safeguards to control the risks identified through the risk assessment and conduct regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.
Additionally, Wyndham is required to obtain annual information security assessments by a qualified, objective, independent third-party professional and, following discovery of a breach involving more than 10,000 unique payments card numbers, Wyndham must obtain an assessment that meets the requirements by the PCI Security Standards Council. The settlement did not include an admission of wrongdoing by Wyndham nor a monetary sanction.
As the courts continue to determine the scope of the FTC’s authority under Section 5 of the FTC Act, companies must continue to ensure adequate security safeguards are in place, because even without monetary sanctions, the additional audits and government oversight that can be required as a result of data security failures may be lengthy and costly.