On the face of it, Wyndham Hotels and Resorts dodged a major bullet from the Federal Trade Commission (FTC).
After three major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges, the company earlier this month settled a lawsuit brought by the FTC that doesn’t require it to pay a penny in fines or even admit that it did anything wrong.
The agency had charged Wyndham in 2012 with “unfair and deceptive practices” because it promised customers rigorous, “industry standard” security of their data when its actual security was weak to nonexistent according to the FTC, which was affirmed by federal courts.
But all the settlement requires Wyndham to do, according to a press release from the FTC, is, “establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates,” plus conduct annual information security audits and “maintain safeguards in connections to its franchisees’ servers.”
That is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS).
As Derek Brink, vice president and research fellow at the Aberdeen Group, put it in a written response to CSO that became a blog post, “the PCI Data Security Standard that says they had to do this was formalized about three and a half years prior to the first breach, and was itself preceded by independent cardholder security programs of the five major brands.”
Brink also noted that while the breaches began in April 2008, the FTC didn't sue the company until four years later, and the settlement came almost three and a half years after that – what he called a “glacially slow timeline,” during which, “the taxi meter of legal fees (was) rolling up expenses for both the taxpayer and the shareholders of Wyndham …”
But, as is often the case in legal proceedings, things are not necessarily as they appear on the face of it.
Several experts agreed with Brink, that most of the settlement requirements are the same requirements that have been in place for years under the PCI DSS. But they note that the PCI DSS is not a government standard and is not a law – it was established by an association of the five major card brands – and therefore failure to comply with it is not illegal.
That means the case was not about fines for noncompliance, which the FTC doesn’t even have the authority to impose. It was instead about power – the authority of the FTC to charge Wyndham with “unfair and deceptive” practices because of its security flaws.
Wyndham had argued that the FTC didn’t have the authority to bring charges against it with regard to its cybersecurity practices. But the federal Third District Court rejected that argument, and the Third Circuit Court of Appeals affirmed the FTC’s authority in a decision handed down in August.
The settlement doesn’t change that, so on that level, it was “a big win” for the FTC, according to Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF).
“Wyndham basically argued, ‘even if all the facts are as you say, as a matter of law you don’t have the authority to do this because FTC power doesn’t reach that far,’” he said, “and the settlement means the FTC won the battle about its jurisdiction.”
That is also how Scott Talbott, senior vice president of government relations at the Electronic Transactions Association (ETA), sees it.
Any financial penalties for failing to be in compliance would come from the credit card brands that established the PCI DSS, he said, “but that’s done from a private contract standpoint – it’s not a legal requirement.”
None of the parties would say if Wyndham was penalized. The PCI Security Standards Council said it does not comment on compliance sanctions – that any information about it would have to come from the card brands.
The only card brand that responded to CSO was Visa, and Sandra Chu of its Corporate Communications office said the company is, “not able to comment on specific cases or potential compliance fees.”
And Wyndham did not respond to a question about whether any penalty had been imposed by the card brands. It instead pointed CSO to the prepared statement it had issued after the settlement with the FTC was announced, which said in part that it was, “pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.”
But Talbott said the recent settlement does strengthen the FTC’s regulatory hand, because it, “adds another layer – a government regulatory layer – to the requirement for security.”
That, he said, means that future data breaches that expose customer data because of weak cybersecurity means the breached company could be subject to both contractual and regulatory sanctions.
While the present settlement only applies directly to Wyndham, “other businesses will certainly take notice, even though they’re in other lines of business,” Talbott said.
Part of the reason for the FTC seeking regulation of cybersecurity through legal decisions, he said, is that while there is currently a federal standard for data protection governing banks, there is no such federal standard for non-banks.
“This is what the FTC is trying to establish, through a series of court cases,” he said.
Of course, Congress could also establish a standard through legislation, and Talbott said there is the potential for that with two House bills that have been reported favorably out of the Financial Services and Health, Energy and Commerce committees.
“There is a companion bill in the Senate as well,” he said.
The House bill, filed in May, was reported favorably out of committee Dec. 9 on a 46-9 vote.