Wyndham settlement validates FTC authority in cyber security
The very well-known Wyndham Hotel and Resorts data breach is once again in the news. This time the company has agreed to settle with the Federal Trade Commission (FTC). In 2014, the payment card information (PCI) data of thousands of customers was hacked in three separate instances due to poor cyber security. With this settlement, Wyndham has agreed to develop a sophisticated data security program that will protect PCI and other payment methods while also conducting annual audits to ensure the safety of customer information.
According to the FTC’s press release, the hotel chain must institute secure networks so hackers cannot gain access again. In addition, Wyndham is required to perform formal risk assessment procedures with a certified auditor. These two measures have been put in place to minimize the possibility of any future hacks.
Should the chain be hacked again and have over 10,000 PCI records affected, they have only 10 days to report the breach to the FTC. If, in the future, Wyndham fails to alert the FTC in a timely manner, the penalties imposed will include lofty fines and assessments. These obligations are in place for the next 20 years for Wyndham.
Wyndham’s inability to protect sensitive consumer data and have an appropriate cyber response plan in place provided the FTC with an opportunity to legitimize its authority with respect to data security oversight on the basis of its duty to protect consumers from deceptive trade practices. Companies and their boards must acknowledge that cybersecurity preparedness requires constant oversight and innovation. The government is certainly increasing its reach in this arena.
About the Author
Michael Talmanson is an Area Senior Vice President at Gallagher WGA in the Property and Casualty Group and area leader of the firm’s Technology and Cyber Risk Practice. He advises high technology, life sciences and financial services companies about insurance and risk management matters.