News Briefs

The FTC said that consumers were billed more than $10 million on stolen accounts.

“The FTC's complaint is significant for two reasons,” said Alysa Zeltzer Hutnik, partner with Kelley Drye & Warren LLP in Washington, DC. “One, it represents the first time that the FTC will litigate its theory as to whether an entity's privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act. Past FTC cases have resulted in pre-litigation settlements or informal closings of investigations. Two, the lawsuit reflects the FTC's position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.”

The FTC's complaint seeks to make the link between franchisor and franchisee explicit. The lawsuit states: “At all relevant times, Hotel Group and Wyndham Worldwide have performed various business functions on behalf of Hotels and Resorts, or overseen such business functions, including legal assistance, human resources, finance, and information technology and security. Hotel Group and Wyndham Worldwide controlled the acts and practices of Hotels and Resorts that are at issue in this Complaint.”

Given that level of control, the FTC pointed to numerous alleged data security flaws that, cumulatively, led to security breaches. “No privacy plan is perfect,” said Hutnik. “The FTC is looking at whether you are, on the whole, acting responsibly and remedying vulnerabilities when they become known.”

Wyndham's system was highly vulnerable, according to the complaint, because of flaws that included a lack of a firewall between franchisees and the Wyndham network, inadequate training and oversight of how franchisees created passwords (passwords were too simple), and the connection of non-secure franchisee servers to the network.

Wyndham's response, provided to FBLA by e-mail, is: “We cooperated fully with the Federal Trade Commission regarding its investigation of previously reported data breaches that occurred from 2008 to 2010, in which cyber criminals potentially accessed a limited amount of customer information at some Wyndham Hotels and Resorts-
brand hotel properties.

“At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their
information security.

“We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.

“In a time when cyber attacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide. Unfortunately, as this matter is now the subject of pending litigation, it would be inappropriate for us to provide further comment at this time.”

Higher Franchise Monetary Exemptions in Effect

Since July 1, 2012, higher monetary thresholds for large-franchisee exemptions have been in effect. The FTC announced the new thresholds earlier in the year, raising exemptions to account for Consumer Price Index inflation increases in the last four years. The thresholds make franchisors exempted from disclosure requirements when:

• the purchaser's initial payment is less that $540 (formerly $500);
• the initial investment is at least $1,084,900 (formerly $1 million), excluding the cost of unimproved land and any franchisor (or affiliate) financing; or
• a franchisor sells to large entities, such as airports, hospitals, and universities that have been in business for at least five years and have a net worth of at least $5,424,500 (formerly $5 million).

Wyndham Hotels Charged For Franchisees' Data Breaches

On June 26, the Federal Trade Commission (“FTC”) filed a lawsuit against Wyndham Worldwide Corporation and three of its subsidiaries, alleging that they engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 Wyndham-brand franchised hotels. The litigation is Federal Trade Commission v. Wyndham Worldwide Corporation et al., U.S. District Court for the District of Arizona, case no. 12-cv-1365.

The complaint arose after three data security breaches of Wyndham's centralized database that affected more than 619,000 customers. The breaches occurred through franchisee computer systems, which were linked to the corporate data center. Wyndham was notified after the first breach and promised to fix the problem, but two more breaches occurred.

The FTC said that consumers were billed more than $10 million on stolen accounts.

“The FTC's complaint is significant for two reasons,” said Alysa Zeltzer Hutnik, partner with Kelley Drye & Warren LLP in Washington, DC. “One, it represents the first time that the FTC will litigate its theory as to whether an entity's privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act. Past FTC cases have resulted in pre-litigation settlements or informal closings of investigations. Two, the lawsuit reflects the FTC's position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.”

The FTC's complaint seeks to make the link between franchisor and franchisee explicit. The lawsuit states: “At all relevant times, Hotel Group and Wyndham Worldwide have performed various business functions on behalf of Hotels and Resorts, or overseen such business functions, including legal assistance, human resources, finance, and information technology and security. Hotel Group and Wyndham Worldwide controlled the acts and practices of Hotels and Resorts that are at issue in this Complaint.”

Given that level of control, the FTC pointed to numerous alleged data security flaws that, cumulatively, led to security breaches. “No privacy plan is perfect,” said Hutnik. “The FTC is looking at whether you are, on the whole, acting responsibly and remedying vulnerabilities when they become known.”

Wyndham's system was highly vulnerable, according to the complaint, because of flaws that included a lack of a firewall between franchisees and the Wyndham network, inadequate training and oversight of how franchisees created passwords (passwords were too simple), and the connection of non-secure franchisee servers to the network.

Wyndham's response, provided to FBLA by e-mail, is: “We cooperated fully with the Federal Trade Commission regarding its investigation of previously reported data breaches that occurred from 2008 to 2010, in which cyber criminals potentially accessed a limited amount of customer information at some Wyndham Hotels and Resorts-
brand hotel properties.

“At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their
information security.

“We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.

“In a time when cyber attacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide. Unfortunately, as this matter is now the subject of pending litigation, it would be inappropriate for us to provide further comment at this time.”

Higher Franchise Monetary Exemptions in Effect

Since July 1, 2012, higher monetary thresholds for large-franchisee exemptions have been in effect. The FTC announced the new thresholds earlier in the year, raising exemptions to account for Consumer Price Index inflation increases in the last four years. The thresholds make franchisors exempted from disclosure requirements when:

• the purchaser's initial payment is less that $540 (formerly $500);
• the initial investment is at least $1,084,900 (formerly $1 million), excluding the cost of unimproved land and any franchisor (or affiliate) financing; or
• a franchisor sells to large entities, such as airports, hospitals, and universities that have been in business for at least five years and have a net worth of at least $5,424,500 (formerly $5 million).