Wyndham Worldwide Corp. will set up a wide-ranging information security program to protect cardholder data as part of a settlement reached with the US Federal Trade Commission to end a case, filed in 2012, that effectively clarified the commission’s authority to regulate data security practices.
Wyndham is not required to pay any monetary fine but its obligations under the settlement will last for 20 years. The settlement does not apply to any other categories of personally identifiable information
“We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model,” said Wyndham, in a statement. “This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information.
The case can be traced to multiple data breaches at some Wyndham hotels and resorts from 2008 to 2010. In 2012, the FTC filed a lawsuit against Wyndham Worldwide and three subsidiaries for allegedly engaging in unfair and deceptive practices related to the protection of customer personal information. Wyndham decided to take on the federal entity, filing a motion to dismiss the lawsuit and challenge FTC’s cybersecurity regulator authority.
A lengthy court battle ensued and caught the eyes of many due to the fact the FTC’s regulatory authority was being questioned. A district court judge unequivocally ruled in favor of the FTC’s authority but certified its decision on the unfairness claim for an interlocutory appeal.
Last August, a US Circuit Court of Appeals in Philadelphia unanimously upheld the lower court’s ruling, but the actual allegations against Wyndham still needed to be decided. Now the case has been settled.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez, in a statement. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Roberta Anderson, partner in the Pittsburgh office of K&L Gates, told Advisen: “The Wyndham settlement, though presumably favorable from FTC and Wyndham viewpoints, is likely to disappoint many, including myself, who were waiting for a decision on the ultimate merits as to whether Wyndham’s data security practices unfairly exposed cardholder data to criminal hackers.”
This content originally appeared in Cyber Front Page. To read the whole story, you must be a subscriber. Subscribe now.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
