I first reported to you about the Federal Trade Commission (FTC) bringing legal action against Wyndham Hotels and Resorts for failing to protect their customers’ personal information including credit and debit card information in 2012. Earlier this year I reported to you about the upholding of the FTC’s action by the Appeals Court. Now, Wyndham and the FTC have settled the case. Wyndham has agreed to establish a comprehensive data security program intended to protect customer information including credit and debit card numbers. The FTC took action against Wyndham for failing to “maintain reasonable and appropriate data security for consumers’ sensitive personal information” following a series of three major data breaches by Russian hackers affecting more than 600,000 credit and debit cards of Wyndham customers. Wyndham had argued in court that the FTC did not have the authority to punish a business for having lax security practices and further argued that the FTC was punishing the victim not the perpetrator of the data breach. Wyndham argued that punishing Wyndham was akin to taking legal action against a supermarket for being “sloppy about sweeping up banana peels.” The Appeals Court judges were not convinced by this argument and in their opinion they wrote that this argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under the FTC Act.”
Wyndham also argued that it should not be punished because its standards for cybersecurity were different from that of the FTC, however again, the Appeals Court judges were unconvinced, saying, “the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points…did not restrict specific IP addresses at all… did not use any encryption for certain customer files… and did not require some users to change their default or factory-setting passwords at all.”
Having lost in the Appeals Court, Wyndham agreed to a settlement rather than continue the litigation with little chance of success. Under one of the terms of the settlement Wyndham must perform annual security audits that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program for the next twenty years.
This is a major victory for consumers and a warning to companies that they must do more than give lip service to cybersecurity and protecting the personal information of their customers. As FTC Chairwoman Edith Ramirez said following the settlement, “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security. Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.” There is little that we as individual consumers can do to encourage companies to do a better job of protecting our personal information although recent class actions against companies suffering data breaches alleging negligently inadequate security is a start. However, having the weight of the federal government come to bear on companies on behalf of consumers is a very positive development.