According to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information. As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
The FTC alleged that between April 2008 and January 2010, intruders gained unauthorized access to Wyndham’s computer network on three occasions, on each occasion accessing sensitive personal information stored in Wyndham’s hotel property management system. The FTC alleged that the data breaches resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia, allegedly causing fraudulent charges and more than $10.6 million in fraud loss.
As discussed here, the FTC alleged that the defendants’ alleged failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information violated the prohibition in Section 5(a) of the Federal Trade Commission Act of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.” The FTC’s lawsuit sought to compel the company to improve its security measures and to remedy any harm its customers have suffered.
In an April 7, 2014 decision, District of New Jersey Judge Esther Salas denied the defendants’ motion to dismiss and rejected the hotel chain’s arguments that the FTC does not have the authority to regulate data-security practices and that the agency has to issue regulations before bringing a data breach enforcement action. She also held that the FTC’s allegations were sufficient to state a claim for purposes of the motion to dismiss. The company filed an appeal to the Third Circuit.
As discussed here, on August 24, 2015, in a unanimous opinion written by Judge Thomas Ambro for a three-judge panel, the Third Circuit affirmed the district court’s rulings, specifically holding that the FTC has authority to bring cybersecurity related actions on the basis that they are “unfair”; and holding that Wyndham had sufficient notice of the possible regulatory requirements.
Following the appeal, the case returned to the district court for further proceedings, and on December 9, 2015, the company and the FTC each issued press releases announcing that the parties had settled the action.
In its press release, the company emphasized that the settlement “does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.” The settlement also provides the company with safe harbor protection as long as it continues to meet certain requirement for “reasonable information security” outlined in the stipulated order. The company also emphasized in its press release that the stipulated order applies only to payment card information and does not apply to other categories of personally identifiable information.
As summarized in the FTC’s press release, the parties’ settlement specifies that the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.” In addition, the company is required to conduct annual information security audits and maintain safeguards in connection to its franchisees’ servers. The annual audit must conform to the Payment Card Industry Data Security Standard for certification of a company’s security program. The order provides that if Wyndham obtains the specified certifications, it will be deemed in compliance with the comprehensive information security program provision of the order; however, this compliance provision is not effective if Wyndham in any way misleads or provides false information during the annual audit and assessment process.
The order also requires that if Wyndham sustains another data breach affecting more than 10,000 payment card numbers, the company must obtain an assessment of the breach and provide the assessment to the FTC within ten days.
The Commission vote approving of the proposed stipulated order was 4-0. If approved, Wyndham’s obligations under the stipulated order would last for 20 years.
Both this case and its settlement have a number of important ramifications. Among other things, the rulings in the case – particularly the Third Circuit’s affirmance of the lower court’s denial of the motion to dismiss – affirmed that the FTC has a role to play in policing companies in the U.S. with respect to their cyber security. The courts’ rulings confirmed that a company’s data security practices can be a deceptive or unfair trade practice and also confirmed that the FTC’s authority includes the ability to bring enforcement actions relating to data breaches even if the agency has not previously issued regulations addressing the specific practices in question. As I said at the time of the Third Circuit’s opinion in the case, the clear implication is that for companies that experience a data breach, the adverse consequences may include not only disruption, expense, and adverse publicity, but also the possibility of a regulatory enforcement action as well.
The settlement itself also has important implications. As I noted above, Wyndham itself said in its press release that the settlement “sets a standard for what the government considers reasonable data security of payment card information.” Because so many of the high-profile data breaches that afflict companies involved payment card information, the specifics of the settlement agreement could be important for companies interested in avoiding regulatory criticism of its cybersecurity practices if the company were to at some point suffer a payment card information-related data breach. The implication for these companies from the settlement seems to be that meeting Payment Card Industry certification requirements arguably may be sufficient to avoid regulatory action if the company later suffers a payment card information-related data breach.
This settlement marks the final step in the long litigation processes in which Wyndham became involved following its data breaches. In addition to the FTC’s regulatory action, the company was also subject to a data-breach related shareholder derivative action. However, as discussed here, the shareholder derivative action was dismissed at the initial pleading stage.
Whether other companies suffering data breaches in the future will become ensnared in these various kinds of legal proceedings remains to be seen. Even though the FTC did in the Wyndham case establish its authority to bring the kind of regulatory enforcement action it filed against Wyndham, more recently (as discussed here) an FTC administrative law judge dismissed an FTC data-breach related enforcement action in a ruling that set a high bar for the kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act. The extent of the FTC’s authority to pursued data breach-related claims will continue to be tested.
So while Wyndham was ensnared in extensive legal proceedings regarding its data breach, it is unclear whether other companies will similarly be bogged down in regulator or shareholder actions. But just the same, well advised companies will want to consider the settlement agreement in the FTC’s action with Wyndham and assess the extent to which the agreement’s terms provide insight on the steps a company might take to try to avoid liability arising from data breaches related to payment card information.