The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and Resorts with a safe harbor for liability for payment card breaches. Other companies should consider whether they should adopt practices that will allow them to argue that this safe harbor should apply to them too (or if their existing practices are already consistent with this safe harbor). Finally, this Consent Order is a victory for companies operating under the franchise business model because the FTC backed off from its position that Wyndham must guarantee the security of franchised operations.
The Consent Order requires only Wyndham Hotels and Resorts – not Wyndham general and not any of the hotels affected by the hacking incidents – to adopt a comprehensive information security program. Moreover, the program covered by the Consent Order applies payment card information only, not all categories of personal information.
In agreeing to the entry this Consent Order, the FTC made a significant departure from its past practices by expressly identifying in the binding paragraphs of the Consent Order the necessary elements of a comprehensive security program. Specifically, Wyndham can satisfy its obligations under the Consent Order with a security program that contains the following elements:
- Designation of an individual or individuals responsible for the security program;
- Identification of risks through risk assessments;
- Design and implementation of reasonable safeguards to control the risks identified through risk assessments;
- Establishment of reasonable procedures to select and maintain service providers; and
- Adjustment of the information security program where appropriate due to risks and monitoring required or through material changes to operations.
This listing is a summary; these requirements are spelled out in greater detail in the binding paragraphs of the Consent Order.
Companies subject to FTC jurisdiction should consider how their current data security programs line up against these requirements.
Most important, the Consent Order provides that by obtaining certain certifications related to Payment Card Industry (“PCI”) compliance, Wyndham Hotels and Resorts can satisfy its reporting requirement under the Consent Order and show its compliance with the Consent Order. This certification procedure effectively establishes a safe harbor through which Wyndham Hotels and Resorts can show its compliance with the Consent Order. Other companies under the jurisdiction of the FTC should consider whether their existing procedures for establishing PCI compliance are consistent with the certification procedures set forth in the Consent Order.
Finally, the Consent Order does not require Wyndham to be responsible for data security practices at any franchised hotel. This is a significant point as the FTC in the litigation advocated making Wyndham responsible for the data security practices at franchised sites. Wyndham argued against having such responsibility, because it would have turned the franchise business model upside down, in terms of eroding long-established parameters concerning the level of control typically maintained by franchisors over franchisees. The Consent Order maintains these established parameters because it does not require Wyndham to guarantee the data security practices at independently owned and operated hotel locations.
The battle between the FTC and Wyndham was long and hard fought. Ultimately, industry won because the Consent Order sets forth a clear framework for companies to minimize their regulatory risk going forward.
Wyndham and certain of its affiliates are clients of BakerHostetler. BakerHostetler has not represented Wyndham in connection with the data security incidents referenced in the FTC’s complaint, or in the proceedings brought by the FTC.
BakerHostetler’s nationally recognized Privacy and Data Protection practice regularly counsels clients on data protection issues, including creating and operating compliance program, assessing and mitigating risks and preparing for a and responding to incidents. Our annual report on lessons learned from working on over 200 breaches in the last year alone is here. For more information, contact the authors. Look next week for a post from the authors on further implications for industry of the 3rd Circuit’s Wyndham decision and the recent administrative law judge opinion in LabMD.