Last week the Federal Trade Commission ("FTC") filed a lawsuit against Wyndham Worldwide Corporation and three of its subsidiaries (collectively, "Wyndham") accusing them of failing to protect consumers' personal information leading to a series of three data security breaches over a two-year period. The FTC alleges these breaches resulted in the compromise of more than 600,000 payment card accounts, fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia.
The FTC's complaint alleges that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, and that their failure to safeguard personal information caused substantial consumer injury in violation of Section 5 of the FTC Act.
Wyndham's privacy policy provided that "We safeguard our Customers' personally identifiable information by using standard industry practices. Although 'guaranteed security' does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed." The FTC alleges that, despite the promises made in Wyndham's privacy policy, Wyndham failed to provide reasonable security for the personal information it collected and maintained by engaging in a number of practices. The FTC cited a number of specific failures, such as: (i) allowing software to be configured inappropriately, resulting in the storage of payment card information in clear readable text; (ii) failing to employ commonly used methods to require user IDs and passwords that are difficult for hackers to guess; and (iii) failing to adequately inventory computers connected to its network so that Wyndham could appropriately manage the devices on its network. Taken together, these shortcomings unreasonably and unnecessarily compromised the security of consumers' personal data.
With this suit, the FTC is continuing its efforts to make sure that companies live up to the promises they make about privacy and data security. Forbes reported that the suit follows what some security researchers have described as a wave of attacks against the hospitality industry. Over the past several years, the FTC has filed suit against a number of companies alleging that their failure to maintain reasonable data security practices for consumers' sensitive personal information violates Section 5 of the FTC Act. Other companies that have settled similar charges with the FTC include Rite Aid, Twitter, Dave & Buster's and CVS Caremark. Those settlements included provisions requiring the defendants to: (i) establish and maintain programs to protect the security, confidentiality, and integrity of personal information collected from customers; and (ii) obtain independent, professional audits to ensure that the security program meets the standards of the settlements.
*Mr. MacDonald was formerly a lawyer with Olshan's IP Department.