We have been following the hard fought case between the FTC and Wyndham over an investigation that was launched by the FTC following a series of data breaches of Wyndham’s payment card information between 2010 and 2012 (see related post). Wyndham was the first company to challenge the FTC’s jurisdiction to regulate data security measures under Section 5 of the FTC Act. The Third Circuit recently backed the FTC’s position.
The FTC alleged that Wyndham’s security practices “unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.”
After the years long battle, and on the heels of the Third Circuit decision, the FTC announced today that the case has settled. Under the settlement, Wyndham does not pay any fines or penalties, but, consistent with FTC settlements in the past, agrees to implement a comprehensive information security program for cardholder data for 20 years, obtain a written assessment of Wyndham’s compliance with the program and certify compliance annually for the next 20 years to the FTC Bureau of Consumer Protection.
Further, Wyndham is required to deliver a copy of the Order of Injunction to “all controlling principals, board of directors members, and LLC managers and members…all officers, employees, agents, and representatives having responsibilities relating to the subject matter of this Order; …and any business entity resulting from any changes in structure…” for the next 10 years.
Finally, Wyndham must submit a compliance report to the Commission in one year that it has complied with all provisions of the Order.
The battle was hard fought and the Order is nearly identical to previous Orders entered into with businesses who have suffered data breaches in the past. But in this case, there was no fine or penalty paid to the FTC. Nonetheless, it will be interesting to see how the LabMD case may change the landscape.