Wyndham and FTC Settle Case Over “Unfair” Data Security Practices
Wednesday, January 6, 2016
Wyndham and FTC Settle Case Over “Unfair” Data Security Practices
Print Mail Download i

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;

  • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;

  • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;

  • Provide all assessments to FTC;

  • Keep records relied on to prepare each annual assessment for three years; and

  • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Current Legal Analysis

More from Mintz

DOJ Releases COVID-19 Fraud Enforcement Task Force Report Touting Its Successes and Urging Lawmakers to Enact New Legislation
by: Jane Haviland , Abdie Santiago
SEC’s Enforcement Authority Over Crypto Asset Transactions Upheld (Again) in Case Against Coinbase
by: Cory S. Flashner , Steve Ganis
Canada’s 2024 Federal Budget: The Time Is Now ... to Lock in Lower Tax Rates
by: Katy Pitch
American Privacy Rights Act – Another Shot at a Comprehensive Federal Privacy Law
by: Cynthia J. Larose , Christopher J. Buontempo
Tony Bennett May Have Left His Heart in San Francisco but the City's Appeal of Its NPDES Permit is on its Way to the United States Supreme Court.
by: Jeffrey R. Porter
Navigating Health Tech: Regulations for AI/ML in Medical Devices and Software [Video]
by: Benjamin M. Zegarelli , Pat G. Ouellette
Supreme Court Narrows the Reach of Omission Liability Claims Under Section 10(b) of the Exchange Act
by: Douglas P. Baumstein , Jason C. Vigna
Office of the Level Playing Field
by: Jennifer B. Rubin
The Sun is About to Set on Temporary CCPA/CPRA Exemptions: Employers Get Ready
by: Cynthia J. Larose
New Jersey Adopts a Comprehensive Data Privacy Law
by: Cynthia J. Larose , Jon Taylor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins