The Wyndham Worldwide hotel chain, which has been fighting with the FTC for years after the hotel chain suffered three security breaches in two years exposing credit card data, settled with the FTC this week.
The hotel went as far as to attempt to get the courts to say that the FTC did not have the authority to regulate corporate cyber hygiene. The court of appeals, in a decision this past summer, disagreed with Wyndham, and said that was within the FTC’s purview.
The FTC had filed suit against Wyndham in the Third Circuit, so to say that this issue was a bit adversarial would be polite.
Apparently Wyndham realized that they were not going to win this battle and settled with the FTC. They declared victory by saying that they did not have to admit they were guilty or pay a fine. Note that the FTC usually does not require either of these as a condition to settling.
What Wyndham did agree to is:
- The FTC will monitor their behavior, cyber security wise, for the next TWENTY years.
- The company will obtain annual security audits of its information security program that conform with the PCI standards – something that they should have been doing anyway.
- The audit will certify that Wyndham is treating franchisee networks as untrusted (the fact that they were trusting the franchisee networks apparently facilitated the previous breaches)
- The audit will also report on whether the hotel chain is compliant with a formal risk assessment process.
- If the hotel has another breach of more than 10,000 cards, they will obtain an assessment of the breach and hand that assessment over to the FTC.
- The order says that if Wyndham gets the necessary compliance certifications that they will be in compliance with this agreement.
The order needs to be approved by the judge overseeing this case, which we assume will not be a problem.
It seems to me that this is only a Pyrrhic victory for Wyndham. While they may declare victory in the press, the FTC got exactly what they wanted and in fact, what they have usually obtained in a much less adversarial manner. In the meantime, the FTC will be watching over Wyndham’s information security program for the next 20 years and Wyndham probably spent tens of millions on legal costs, which they get to eat.
I do suspect that this may be the last time a company who has been breached attempts to fight the FTC in this manner.
While the FTC recently suffered a setback in their case against LabMD, that case was different because there was no show of harm. In the Wyndham case, 600,000+ credit cards were compromised at a cost of over $10 million.
Information for this post came from the FTC.