Ending its epic battle with the FTC, Wyndham entered into a settlement agreement with the FTC. Under the terms of the Stipulated Order that was filed on December 9, 2015 with Judge Salas, Wyndham will establish a “comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.” In addition, the company is required to “conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”
These safeguards have a shelf-life of 20 years — common for FTC stipulated agreements involving data breaches. What is noteworthy and distinct from other settlements, however, is that there is no money changing hands — Wyndham pays no fines, investigative costs or any amount for that matter. This overall result — especially in light of the Third Circuit ruling, can only be considered a solid victory for Wyndham.
Franchise operators also scored somewhat of a victory given the FTC finally gives some guidance as to what it considers to be a reasonable security program for franchise operators. First, the FTC alerts future companies that if they conform to the most current Payment Card Industry Data Security Standard (PCI DSS) for certification of a company’s security program, they are in the right direction towards implementing a satisfactory program. Indeed, the settlement specifically defines its terms as per PCI DSS Version 3.1. Not surprisingly, the second aspect of a suitable program requires the implementation of a risk-based approach to threat assessment. As set forth in I.C of the Stipulated Order, Wyndham’s program must include “the design and implementation of reasonable safeguards to control the risks identified through risk assessment (including any risks emanating from the Wyndham-branded Hotels), and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedure.”
The agreed-upon requirements also apply to any “entity that that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order.” And overall compliance features of the Stipulated Order mimic discovery process available under the Federal Rules of Evidence and will certainly be tested over the twenty-year term. Such future testing — coupled with potential new breaches, may lead to future stipulated Orders. For the moment, however, Wyndham should be relieved with the results of its FTC skirmish — as well as happy with the work done by its counsel.