Wyndham settlement: No fine, but more power to the FTC

The Federal Trade Commission didn’t even issue a slap on the wrist to Wyndham Hotels for weak security practices that allowed multiple data breaches. But experts say that wasn’t the point – the point was to establish the FTC’s authority over companies’ cybersecurity practices, and that remains after the recent settlement between the two parties.

On the face of it, Wyndham Hotels and Resorts dodged a major bullet from the Federal Trade Commission (FTC).

After three major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges, the company earlier this month settled a lawsuit brought by the FTC that doesn’t require it to pay a penny in fines or even admit that it did anything wrong.

The agency had charged Wyndham in 2012 with “unfair and deceptive practices” because it promised customers rigorous, “industry standard” security of their data when its actual security was weak to nonexistent according to the FTC, which was affirmed by federal courts.

But all the settlement requires Wyndham to do, according to a press release from the FTC, is, “establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates,” plus conduct annual information security audits and “maintain safeguards in connections to its franchisees’ servers.”

That is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS).

As Derek Brink, vice president and research fellow at the Aberdeen Group, put it in a written response to CSO that became a blog post, “the PCI Data Security Standard that says they had to do this was formalized about three and a half years prior to the first breach, and was itself preceded by independent cardholder security programs of the five major brands.”

Brink also noted that while the breaches began in April 2008, the FTC didn't sue the company until four years later, and the settlement came almost three and a half years after that – what he called a “glacially slow timeline,” during which, “the taxi meter of legal fees (was) rolling up expenses for both the taxpayer and the shareholders of Wyndham …”

But, as is often the case in legal proceedings, things are not necessarily as they appear on the face of it.

Several experts agreed with Brink, that most of the settlement requirements are the same requirements that have been in place for years under the PCI DSS. But they note that the PCI DSS is not a government standard and is not a law – it was established by an association of the five major card brands – and therefore failure to comply with it is not illegal.

That means the case was not about fines for noncompliance, which the FTC doesn’t even have the authority to impose. It was instead about power – the authority of the FTC to charge Wyndham with “unfair and deceptive” practices because of its security flaws.

Wyndham had argued that the FTC didn’t have the authority to bring charges against it with regard to its cybersecurity practices. But the federal Third District Court rejected that argument, and the Third Circuit Court of Appeals affirmed the FTC’s authority in a decision handed down in August.

The settlement doesn’t change that, so on that level, it was “a big win” for the FTC, according to Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF).

“Wyndham basically argued, ‘even if all the facts are as you say, as a matter of law you don’t have the authority to do this because FTC power doesn’t reach that far,’” he said, “and the settlement means the FTC won the battle about its jurisdiction.”

That is also how Scott Talbott, senior vice president of government relations at the Electronic Transactions Association (ETA), sees it.

Any financial penalties for failing to be in compliance would come from the credit card brands that established the PCI DSS, he said, “but that’s done from a private contract standpoint – it’s not a legal requirement.”

None of the parties would say if Wyndham was penalized. The PCI Security Standards Council said it does not comment on compliance sanctions – that any information about it would have to come from the card brands.

The only card brand that responded to CSO was Visa, and Sandra Chu of its Corporate Communications office said the company is, “not able to comment on specific cases or potential compliance fees.”

And Wyndham did not respond to a question about whether any penalty had been imposed by the card brands. It instead pointed CSO to the prepared statement it had issued after the settlement with the FTC was announced, which said in part that it was, “pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.”

But Talbott said the recent settlement does strengthen the FTC’s regulatory hand, because it, “adds another layer – a government regulatory layer – to the requirement for security.”

That, he said, means that future data breaches that expose customer data because of weak cybersecurity means the breached company could be subject to both contractual and regulatory sanctions.

While the present settlement only applies directly to Wyndham, “other businesses will certainly take notice, even though they’re in other lines of business,” Talbott said.

Part of the reason for the FTC seeking regulation of cybersecurity through legal decisions, he said, is that while there is currently a federal standard for data protection governing banks, there is no such federal standard for non-banks.

“This is what the FTC is trying to establish, through a series of court cases,” he said.

Of course, Congress could also establish a standard through legislation, and Talbott said there is the potential for that with two House bills that have been reported favorably out of the Financial Services and Health, Energy and Commerce committees.

“There is a companion bill in the Senate as well,” he said.

The House bill, filed in May, was reported favorably out of committee Dec. 9 on a 46-9 vote.

Join the CSO newsletter!

Error: Please check your email address.

More about Aberdeen GroupCSOEFFElectronic Frontier FoundationFederal Trade CommissionFTCVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place