What the FTC’s Settlement With Wyndham Means for Your Company

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/what-the-ftc-s-settlement-with-wyndham-39563/

The recent settlement entered into between the Federal Trade Commission
(FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides
an important roadmap for companies seeking to avoid running afoul of the
FTC’s regulation of data security. In particular, this settlement, as
embodied in a Consent Order entered by the Court provides Wyndham Hotels
and Resorts with a safe harbor for liability for payment card breaches.
Other companies should consider whether they should adopt practices that
will allow them to argue that this safe harbor should apply to them too (or
if their existing practices are already consistent with this safe harbor).
Finally, this Consent Order is a victory for companies operating under the
franchise business model because the FTC backed off from its position that
Wyndham must guarantee the security of franchised operations.

The FTC brought suit against Wyndham after Wyndham Hotels and Resorts
properties were the victims of hacking incidents that resulted in a
compromise of customer payment card data. The FTC’s complaint alleged that
the data security practices in place at the affected hotels and at Wyndham
itself were “unfair” and Wyndham’s privacy policy’s statements regarding
those practices were “deceptive,” in violation of Section 5 of the FTC Act,
15 U.S.C. § 45. (The FTC effectively abandoned the deceptive claim because
it is not referenced in the binding paragraphs of the Consent Order.) Last
Spring, the Third Circuit entered an order in this proceeding affirming the
FTC’s authority to bring “unfairness claims” based on a company’s alleged
failure to establish adequate cybersecurity practices, but also setting a
high bar for the FTC to prove such claims. We previously discussed the
significant proof burdens imposed on the FTC by this decision n our blog
here.

The Consent Order requires only Wyndham Hotels and Resorts – not Wyndham
general and not any of the hotels affected by the hacking incidents – to
adopt a comprehensive information security program. Moreover, the program
covered by the Consent Order applies payment card information only, not all
categories of personal information.

In agreeing to the entry this Consent Order, the FTC made a significant
departure from its past practices by expressly identifying in the binding
paragraphs of the Consent Order the necessary elements of a comprehensive
security program. Specifically, Wyndham can satisfy its obligations under
the Consent Order with a security program that contains the following
elements:

- Designation of an individual or individuals responsible for the security
program;
- Identification of risks through risk assessments;
- Design and implementation of reasonable safeguards to control the risks
identified through risk assessments;
- Establishment of reasonable procedures to select and maintain service
providers; and
- Adjustment of the information security program where appropriate due to
risks and monitoring required or through material changes to operations.

This listing is a summary; these requirements are spelled out in greater
detail in the binding paragraphs of the Consent Order.

Companies subject to FTC jurisdiction should consider how their current
data security programs line up against these requirements.

Most important, the Consent Order provides that by obtaining certain
certifications related to Payment Card Industry (“PCI”) compliance, Wyndham
Hotels and Resorts can satisfy its reporting requirement under the Consent
Order and show its compliance with the Consent Order. This certification
procedure effectively establishes a safe harbor through which Wyndham
Hotels and Resorts can show its compliance with the Consent Order. Other
companies under the jurisdiction of the FTC should consider whether their
existing procedures for establishing PCI compliance are consistent with the
certification procedures set forth in the Consent Order.

Finally, the Consent Order does not require Wyndham to be responsible for
data security practices at any franchised hotel. This is a significant
point as the FTC in the litigation advocated making Wyndham responsible for
the data security practices at franchised sites. Wyndham argued against
having such responsibility, because it would have turned the franchise
business model upside down, in terms of eroding long-established parameters
concerning the level of control typically maintained by franchisors over
franchisees. The Consent Order maintains these established parameters
because it does not require Wyndham to guarantee the data security
practices at independently owned and operated hotel locations.

The battle between the FTC and Wyndham was long and hard fought.
Ultimately, industry won because the Consent Order sets forth a clear
framework for companies to minimize their regulatory risk going forward.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!