Blog
FTC Sues Wyndham for Alleged Data Security Failures
Blog
June 27, 2012
The Federal Trade Commission announced that it has filed suit in Arizona against Wyndham Worldwide Corporation and three of the company's subsidiaries for alleged data security failures, which led to three separate breaches. According to the FTC, the breaches impacted over 600,000 consumer payment card account numbers—many of which were exported to a domain registered in Russia—and more than $10.6 million in fraud loss. The FTC's complaint states that Wyndham's privacy policy deceptively misrepresented the security measures that it took to protect customers' personal information by stating that the company "recognize[s] the importance of protecting the privacy of individual-specific (personally identifiable) information." The FTC also alleges that the company's failure to safeguard consumer's information unfairly caused substantial consumer injury. These alleged deceptive and unfair acts, according to the FTC, violate Section 5 of the Federal Trade Commission Act. Wyndham's alleged security failures included: (1) allowing improper software configurations that resulted in the storage of sensitive payment card information in clear readable text; (2) failing to use complex user IDs and passwords; and (3) neglecting to employ firewalls to limit access between the Wyndham-branded hotels' property management systems, the corporate network, and the Internet. These purported failures led to an April 2008 breach, allowing intruders to access the computer network of a Wyndham hotel in Phoenix, and compromised over 500,000 payment card accounts. After allegedly failing to employ reasonable measures to detect the unauthorized access and to follow proper incident response procedures, Wyndham's security was breached two more times in 2009. In both subsequent incidents, intruders are alleged to have gained unauthorized access to Wyndham Hotels and Resorts' network, resulting in improper access to over 100,000 consumer payment card accounts. The FTC asked for a permanent injunction to prevent future violations of the FTC Act and unspecified monetary damages. Unlike many other FTC actions in this privacy and security area, which include a settlement announced quickly after a suit is filed, here the FTC and Wyndham do not appear to be near to a settlement in this matter. Instead, a Wyndham representative has indicated to the press that the company was cooperating with the FTC investigation, regrets that the FTC filed suit, and intends to fight the agency's lawsuit.
TIP: In addition to maintaining strong data security practices consistent with relevant customer privacy policies, and planning to cooperate with law enforcement or the FTC should the need arise, companies should also ensure that they respond quickly and decisively as soon as they become aware of a breach. Taking steps to stop subsequent breaches can help mitigate potential exposure in an FTC investigation.
This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.