Man in violation of privacy law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Antitrust Law Daily, December 9, 2015

Wyndham, FTC settle data security unfair practices claims

By Greg Hammond, J.D.

Wyndham Worldwide Corp. has agreed to settle FTC claims that it violated the FTC Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The settlement agreement requires Wyndham to establish a comprehensive information security program that protects cardholder data and to conduct annual information security audits (FTC v. Wyndham Worldwide Corp., File No. 1023142, Dkt. 2:13-CV-01887-ES-JAD).

The FTC filed suit in 2012, alleging that Wyndham and its subsidiaries violated the deceptive and unfair prongs of Section 5(a) of the FTC Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information. Hackers allegedly gained access on three separate occasions to Wyndham’s computer network, obtaining payment card information from over 619,000 customers and resulting in $10.6 million in fraud loss. The U.S. Court of Appeals in Philadelphia most recently affirmed a lower court’s order denying dismissal, finding that the FTC has authority to regulate cybersecurity under the FTC Act and Wyndham had fair notice that its specific data security practices could fall short of §45(a) of the FTC Act.

The stipulated order requires that Wyndham create a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of cardholder data it collects or receives in the United States from or about consumers. Among other requirements, Wyndham must designate at least one employee to coordinate and account for the information security program; identify material risks to the security, confidentiality, and integrity of cardholder data that could result in unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise; and design and implement reasonable safeguards.

In addition, Wyndham has agreed to provide an annual written assessment of the extent of compliance with the Payment Card Industry Data Security Standard or a comparable standard approved by the FTC Bureau of Consumer Protection Associate Director for Enforcement.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” stated FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

Attorneys: Kevin H. Moriarty, FTC. Eugene F. Assaf (Kirkland & Ellis LLP) for Wyndham Worldwide Corp.

Companies: Wyndham Worldwide Corp.; Wyndham Hotel Management, Inc.; Wyndham Hotel Group, LLC

MainStory: TopStory Privacy FederalTradeCommissionNews

Back to Top

Antitrust Law Daily

Introducing Wolters Kluwer Antitrust Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.