On the face of it, Wyndham Hotels and Resorts dodged a major bullet from the Federal Trade Commission (FTC).
After three major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges, the company last December settled a lawsuit brought by the FTC that doesn’t require it to pay a penny in fines or even admit that it did anything wrong.
The agency had charged Wyndham in 2012 with “unfair and deceptive practices” because it promised customers rigorous, “industry standard” security of their data when its actual security was weak to nonexistent according to the FTC, which was affirmed by federal courts.
But all the settlement requires Wyndham to do, according to a press release from the FTC, is, “establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates,” plus conduct annual information security audits and “maintain safeguards in connections to its franchisees’ servers.”
That is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS).
As Derek Brink, vice president and research fellow at the Aberdeen Group, put it in a written response to CSO that became a blog post, “the PCI Data Security Standard that says they had to do this was formalized about three and a half years prior to the first breach, and was itself preceded by independent cardholder security programs of the five major brands.”
Brink also noted that while the breaches began in April 2008, the FTC didn't sue the company until four years later, and the settlement came almost three and a half years after that – what he called a “glacially slow timeline,” during which, “the taxi meter of legal fees (was) rolling up expenses for both the taxpayer and the shareholders of Wyndham …”
But, as is often the case in legal proceedings, things are not necessarily as they appear on the face of it.
Several experts agreed with Brink, that most of the settlement requirements are the same requirements that have been in place for years under the PCI DSS. But they note that the PCI DSS is not a government standard and is not a law – it was established by an association of the five major card brands – and therefore failure to comply with it is not illegal.
That means the case was not about fines for noncompliance, which the FTC doesn’t even have the authority to impose. It was instead about power – the authority of the FTC to charge Wyndham with “unfair and deceptive” practices because of its security flaws.
Sign up for CIO Asia eNewsletters.