HB Ad Slot
HB Mobile Ad Slot
Wyndham and FTC Settle Case Over “Unfair” Data Security Practices
Wednesday, January 6, 2016

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;

  • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;

  • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;

  • Provide all assessments to FTC;

  • Keep records relied on to prepare each annual assessment for three years; and

  • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins