Wyndham had argued that the FTC didn’t have the authority to bring charges against it with regard to its cybersecurity practices. But the federal Third District Court rejected that argument, and the Third Circuit Court of Appeals affirmed the FTC’s authority in a decision handed down in August.
The settlement doesn’t change that, so on that level, it was “a big win” for the FTC, according to Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF).
“Wyndham basically argued, ‘even if all the facts are as you say, as a matter of law you don’t have the authority to do this because FTC power doesn’t reach that far,’” he said, “and the settlement means the FTC won the battle about its jurisdiction.”
That is also how Scott Talbott, senior vice president of government relations at the Electronic Transactions Association (ETA), sees it.
Any financial penalties for failing to be in compliance would come from the credit card brands that established the PCI DSS, he said, “but that’s done from a private contract standpoint – it’s not a legal requirement.”
None of the parties would say if Wyndham was penalized. The PCI Security Standards Council said it does not comment on compliance sanctions – that any information about it would have to come from the card brands.
The only card brand that responded to CSO was Visa, and Sandra Chu of its Corporate Communications office said the company is, “not able to comment on specific cases or potential compliance fees.”
And Wyndham did not respond to a question about whether any penalty had been imposed by the card brands. It instead pointed CSO to the prepared statement it had issued after the settlement with the FTC was announced, which said in part that it was, “pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.”
But Talbott said the recent settlement does strengthen the FTC’s regulatory hand, because it, “adds another layer – a government regulatory layer – to the requirement for security.”
That, he said, means that future data breaches that expose customer data because of weak cybersecurity means the breached company could be subject to both contractual and regulatory sanctions.
While the present settlement only applies directly to Wyndham, “other businesses will certainly take notice, even though they’re in other lines of business,” Talbott said.
Part of the reason for the FTC seeking regulation of cybersecurity through legal decisions, he said, is that while there is currently a federal standard for data protection governing banks, there is no such federal standard for non-banks.
Sign up for CIO Asia eNewsletters.