Wyndham Settles FTC Data Breach Suit

After three-and-a-half years of litigation and an unequivocal defeat before the U.S. Court of Appeals for the Third Circuit, the hotel chain settled its data security breach case with the FTC on December 8.

The terms were probably no better than if Wyndham had simply caved right away, and the litigation ' the first appellate challenge to the FTC's jurisdiction to bring such cases ' only served to bolster the agency's authority going forward.

“We're pleased this case led to a strong validation in court of [the FTC's] data security programs, which continue to be one of our highest priorities,” said Bureau of Consumer Protection head Jessica Rich in a conference call with reporters. “These rulings should make it clear to everyone that the FTC's work on this issue ' applies well-established FTC law and will continue.”

The FTC sued Wyndham in 2012 after hackers on three occasions in 2008 and 2009 successfully accessed the company's computer systems. They stole personal and financial information for hundreds of thousands of consumers, which resulted in more than $10.6 million in fraudulent charges, according to the Third Circuit's Aug. 24 opinion. FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).

The FTC in its complaint said Wyndham's security practices were unfair and deceptive and violated the FTC Act.

Wyndham Alone In FTC Challenge

Wyndham was not the first company to find itself in trouble with the FTC over allegedly lax data security. The agency has brought more than 50 cybersecurity cases, including actions against large companies such as Twitter Inc., Rite Aid Corp., Snapchat Inc., Fandango LLC and HTC America.

But everyone else folded. They reached settlements that didn't include fines (the FTC lacks the statutory authority to levy monetary penalties for such violations), but typically required the companies to establish comprehensive security programs and undergo monitoring for 20 years.

Wyndham, however, decided to make a stand. Represented by Kirkland & Ellis, Ropes & Gray and Gibbons, the company challenged whether the FTC had the legal authority to regulate cybersecurity practices under the unfairness prong of the FTC Act.

“We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC's position could have had a negative impact on the franchise business model,” the company said in a statement.

Amicus curiae support on both sides poured in. The U.S. Chamber of Commerce, the American Hotel & Lodging Association, the National Federation of Independent Business, the Washington Legal Foundation and the Electronic Transactions Association backed Wyndham.

They argued that the FTC is extracting settlements from businesses that themselves are victimized by data security breaches, and that the agency did not provide fair notice of what security standards are required for compliance.

In the FTC's corner was Public Citizen Inc., Consumer Action, the Center for Digital Democracy, the Electronic Privacy Information Center, the American Civil Liberties Union, the Samuelson Law, Technology & Public Policy Clinic, the Center for Democracy & Technology and the Electronic Frontier Foundation.

The FTC stressed that it doesn't expect perfect security, but does require companies to take reasonable steps to keep consumer data safe. And it argued that Section 5 of the FTC Act is open-ended, “granting the FTC broad authority to pursue unfair practices across a broad range of economic contexts.” Including data security.

After the Third Circuit remanded the case to U.S. District Judge Esther Salas in the District of New Jersey, Wyndham apparently had enough.

The settlement requires the company to “establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years,” according to the FTC. See, http://1.usa.gov/1OcX7rw.

However, Wyndham points out that the order applies only to payment card information, not other personally identifiable information. Also, Wyndham said that it is granted a safe harbor if it continues to meet certain requirements for “reasonable information security” outlined in the FTC's consent order.

The deal also requires Wyndham to get an annual independent assessment under the Payment Card Industry Data Security Standard, the industry standard for entities that accept credit cards. In addition, an independent third-party auditor must certify that Wyndham safeguards the connections with its franchisee hotels and that it engages in a comprehensive risk assessment as laid out in the industry-standard risk assessment guidelines.

The company did not admit or deny wrongdoing.

Jenna Greene writes for The Litigation Daily, an ALM affiliate of e-Commerce Law & Strategy. She can be reached at [email protected] or on Twitter @jgreenejenna.

Being a test case can make you a hero, your name immortalized in case cites as you bask in amici gratitude.

Or it can be a bust.

For Wyndham Worldwide Corp., which challenged the Federal Trade Commission's authority to act as data security cop, it was the latter.

After three-and-a-half years of litigation and an unequivocal defeat before the U.S. Court of Appeals for the Third Circuit, the hotel chain settled its data security breach case with the FTC on December 8.

The terms were probably no better than if Wyndham had simply caved right away, and the litigation ' the first appellate challenge to the FTC's jurisdiction to bring such cases ' only served to bolster the agency's authority going forward.

“We're pleased this case led to a strong validation in court of [the FTC's] data security programs, which continue to be one of our highest priorities,” said Bureau of Consumer Protection head Jessica Rich in a conference call with reporters. “These rulings should make it clear to everyone that the FTC's work on this issue ' applies well-established FTC law and will continue.”

The FTC sued Wyndham in 2012 after hackers on three occasions in 2008 and 2009 successfully accessed the company's computer systems. They stole personal and financial information for hundreds of thousands of consumers, which resulted in more than $10.6 million in fraudulent charges, according to the Third Circuit's Aug. 24 opinion. FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).

The FTC in its complaint said Wyndham's security practices were unfair and deceptive and violated the FTC Act.

Wyndham Alone In FTC Challenge

Wyndham was not the first company to find itself in trouble with the FTC over allegedly lax data security. The agency has brought more than 50 cybersecurity cases, including actions against large companies such as Twitter Inc., Rite Aid Corp., Snapchat Inc., Fandango LLC and HTC America.

But everyone else folded. They reached settlements that didn't include fines (the FTC lacks the statutory authority to levy monetary penalties for such violations), but typically required the companies to establish comprehensive security programs and undergo monitoring for 20 years.

Wyndham, however, decided to make a stand. Represented by Kirkland & Ellis, Ropes & Gray and Gibbons, the company challenged whether the FTC had the legal authority to regulate cybersecurity practices under the unfairness prong of the FTC Act.

“We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC's position could have had a negative impact on the franchise business model,” the company said in a statement.

Amicus curiae support on both sides poured in. The U.S. Chamber of Commerce, the American Hotel & Lodging Association, the National Federation of Independent Business, the Washington Legal Foundation and the Electronic Transactions Association backed Wyndham.

They argued that the FTC is extracting settlements from businesses that themselves are victimized by data security breaches, and that the agency did not provide fair notice of what security standards are required for compliance.

In the FTC's corner was Public Citizen Inc., Consumer Action, the Center for Digital Democracy, the Electronic Privacy Information Center, the American Civil Liberties Union, the Samuelson Law, Technology & Public Policy Clinic, the Center for Democracy & Technology and the Electronic Frontier Foundation.

The FTC stressed that it doesn't expect perfect security, but does require companies to take reasonable steps to keep consumer data safe. And it argued that Section 5 of the FTC Act is open-ended, “granting the FTC broad authority to pursue unfair practices across a broad range of economic contexts.” Including data security.

After the Third Circuit remanded the case to U.S. District Judge Esther Salas in the District of New Jersey, Wyndham apparently had enough.

The settlement requires the company to “establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years,” according to the FTC. See, http://1.usa.gov/1OcX7rw.

However, Wyndham points out that the order applies only to payment card information, not other personally identifiable information. Also, Wyndham said that it is granted a safe harbor if it continues to meet certain requirements for “reasonable information security” outlined in the FTC's consent order.

The deal also requires Wyndham to get an annual independent assessment under the Payment Card Industry Data Security Standard, the industry standard for entities that accept credit cards. In addition, an independent third-party auditor must certify that Wyndham safeguards the connections with its franchisee hotels and that it engages in a comprehensive risk assessment as laid out in the industry-standard risk assessment guidelines.

The company did not admit or deny wrongdoing.

Jenna Greene writes for The Litigation Daily, an ALM affiliate of e-Commerce Law & Strategy. She can be reached at [email protected] or on Twitter @jgreenejenna.