On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corp., Wyndham Hotel Group LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc. (“Wyndham”) had agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of consumers to hackers in three separate data breaches between April 2008 and January 2010. Wyndham initially challenged the FTC’s authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act’s unfairness prong which resulted in litigation initiated by the FTC in 2012. Subsequently, an August 2015 opinion by the Third Circuit Court of Appeals affirmed U.S. District Court Judge Esther Salas’ April 2014 ruling that the FTC did have such authority to regulate cybersecurity practices. (Prior blog posts on this case can be found here and here).
The proposed stipulated court order — which does not constitute an admission by Wyndham as to the allegations in the FTC’s Complaint — requires Wyndham to establish a comprehensive information security program as it relates to payment card information, and to obtain annual security audits of its program that conform to PCI-DSS standards. The order also requires Wyndham’s audit to:
- certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
- certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
- certify that the auditor is qualified, independent and free from conflicts of interest.
In the event Wyndham experiences a data breach in the future affecting more than 10,000 payment card numbers, Wyndham must obtain an assessment of the breach and provide that assessment directly to the FTC within 10 days. Wyndham’s obligations under the settlement extend for up to twenty (20) years upon entry of the court’s order.
While Wyndham held that the FTC’s unfairness authority extends to data security, a recent case suggests that the proof required to establish that a company’s act or practice “causes or is likely to cause substantial injury” in the data security context is a high bar. In a November 13, 2015 decision, In re LabMD Inc., the FTC’s Chief Administrative Law Judge, D. Michael Chappell, called into question FTC enforcement in the data privacy space. Judge Chappell dismissed the FTC’s complaint against LabMD, finding that the FTC failed to carry its burden of demonstrating a “likely substantial injury” resulting from LabMD’s allegedly “unfair” data security practices. Judge Chappell ruled that the FTC is required to show that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury. Given the ramifications of this decision, the FTC has filed a formal notice seeking an appeal before the full Commission. (Additional information on Judge Chappell’s decision can be found here).